Select Page

Experts Predict Security and P...

12-21-2015

Originally posted by ID Experts Blog. Reposted with permission. 2015 was a challenging year for defenders of privacy and security. For the first time, cyber-attacks became the leading cause of data b[...]

Originally posted by ID Experts Blog. Reposted with permission.

2015 was a challenging year for defenders of privacy and security. For the first time, cyber-attacks became the leading cause of data breaches, as indicated by several annual data breach studies, including the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. At the beginning of the year, multiple experts (including ID Experts) also predicted that 2015 would be “the year of the healthcare data hack,” and so it has been, with Anthem, Premera, and other big breaches in the news. Gemalto’s Breach Level Index reported 187 healthcare breaches in the first half of the year alone, with 84.4 million healthcare records breached, accounting for 34 percent of all records breached at that time.

With no obvious end in sight, these trends are likely to continue, but 2016 will present some new challenges. To help you prepare, we asked a number of experts in information privacy and security what they think will be the most significant threats and trends in the coming year.

1. Cyber-crime Will Continue to Grow
Karen Barney, program director at the Identity Theft Resource Center (ITRC), predicts that the threat of cyber-attacks and cyber-crime will continue to grow: “We track data breaches daily, and we’re seeing from our data breach report that hacking and skimming has definitely increased significantly over last year. In 2014, hacking, skimming, phishing and other cyber-threats accounted for 29 percent of breaches. So far this year, they account for 38 percent, and I expect that trend to continue into 2016.” But she is also seeing a positive, though unexplained trend: “There is a decrease in breaches caused by sub-contractor and third parties: in 2014, third-party breaches were at 15 percent, whereas in 2015 so far, they’re only at 9%. We don’t know what’s behind that trend, but it’s a point of interest.”

2. Beware the IoT
Experts are watching the “Internet of things” closely for signs that cyber-thieves are turning their sights to the billions of devices that are fast becoming part of our everyday computing environment.

Rick Kam, president and co-founder of ID Experts, points out that hacking of connected devices is fast moving from a theoretical vulnerability to a significant threat. “Right now, it makes the news when researchers are able to change the operation of a heart pump or take control of a Jeep via its Internet-connected entertainment system. These reports are great news bytes, but these researchers are showing us the next step in a problem that’s already happening. Our power, water, and manufacturing plants are being attacked every day, and hostile or activist hackers have been able to take over everything from a ship at sea to centrifuges at nuclear plants, steel mills, and even smart appliances. Not only are all these devices vulnerable endpoints that can let hackers into our business systems, it is only a matter of time before we see successful large-scale attacks on our infrastructure. If hackers will use ransomware to get a few hundred or thousand dollars by holding a home computer or small business computer hostage, how long can it be before they are ransoming a power plant, a water supply, or critical medical devices?”

Dr. Larry Ponemon, chairman and founder, Ponemon Institute, concurs. “All of this disruptive technology will create all sorts of new potential security issues. We may soon be looking at insertables —implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists. And this is not science fiction. It’s already been demonstrated.”

Doug Pollack, ID Experts chief strategy officer, worries about the privacy risks of personal devices:
“I see the explosion of wearable devices as a likely new area for potential privacy concerns. Just as with mobile devices, wearables are likely to expose new security threats, while getting real-time access to new types of data about individuals that has not been captured before. Especially as new applications are deployed on these devices, there will be unintended consequences when it comes to the protection and privacy of the user’s personal data.”

Liz Fraumann, executive director of the Securing Our eCity Foundation, sees data collection as a one of those unanticipated privacy risks for the IoT. She points out that, “Cisco says there will be 50 billion ‘things’ online in just 5 years. For example, I was in a discussion recently about biofeedback mechanisms such as the FitBit. They broadcast personal information, GPS coordinate, and more. Healthcare providers say they want that data, but who else will have that data? To take the hypothetical from the worrisome to the slightly ridiculous, look at Internet-ready toilets and refrigerators. Say I am diabetic, and my toilet and other monitors send my blood sugar information to my doctor throughout the day, and all that ties to my refrigerator. Now I ate something I shouldn’t, so my toilet tells on me and my refrigerator locks. And who else has access to this information? Do you want your insurance denied because you had an ice cream bar or forgot to take your meds one day? We want choices as individuals, but with all the monitoring, you could have less and less.”

3. Security vs. Privacy Face-Off
Dr. Larry Ponemon expects that 2016 will see a growing tension between security and privacy. “I think we’re already seeing the beginnings of this struggle in the disagreements between Apple and the federal government and EU Safe Harbor ruling. With all the international tensions, we are going to see more cyber-terrorism and general terrorism, at the same time individuals are looking for greater privacy protection. For example, people might want phone encryption to protect their personal privacy but bad guys could use that to hide, so it’s a tension. If you’re worried about going to a restaurant without getting shot, that’s more important than encryption on your phone. With worries about physical security, there may be a backlash that could prevent companies from implementing stronger digital security.”

4. Threat Intelligence Will Increase
Dr. Ponemon also predicts that threat intelligence and tracking will evolve in 2016: “We will continue to improve our ability to use advanced analytics to identify anomalies. Threat intelligence, network intelligence, and intelligence feeds will continue to grow at a good clip. The caution on any kind of surveillance is that many of the surveillance tools being used by hackers today start with government, but they get out the back door and backfire when they get in hands of bad guys.”

Meeting 2016 with New Resolve
The Securing our eCity Foundation works with individuals and businesses to help prepare for privacy and security threats. Based on the experiences of businesses she works with, Liz Fraumann has some recommended New Year’s resolutions for businesses of all kinds and sizes:

  • Educate your staff. Especially with the pace at which everyone is working, we are set up to make mistakes that can cause data breaches. For example, the Anthem breach started because an admin didn’t catch a typo in the company name in a phishing attack and clicked on a link that let hackers invade their systems.
  • Put a social media policy in place. Make it clear what people are allowed to access on work equipment and networks and when, and what should they never do.
  • Have a response plan in place before you are breached.
  • Segment your networks to make it harder for attackers to get to sensitive information. Don’t have the accounting department on the same network as research or human resources. Subnets also make it easier to set different access privileges for different employees, so, for example, stolen credentials from a marketing intern don’t lead to a breach of all your employees’ or customers’ personal information.

Threats will continue to evolve, but all of these basic measures will help you to be more successful in meeting whatever privacy and security challenges come your way. Meantime, watch for our next installment, “Top Privacy Compliance Predictions for 2016.”

Are You at Risk of a Data Brea...

12-18-2015

Data breaches are a significant business threat across every industry; no one is immune. The impact of a data breach on a financial institution, however, can be particularly grievous, and the threat i[...]

Data breaches are a significant business threat across every industry; no one is immune. The impact of a data breach on a financial institution, however, can be particularly grievous, and the threat is only likely to grow in 2016.

According to data from the Identity Theft Resource Center, there were 28% more data breaches in 2014 than the previous year. As of Dec. 8, 2015, the ITRC had recorded 732 breaches that exposed more than 176 million records; 66 of them were in the financial services/banking segment. Clearly, the rate of breaches is not flagging, and what’s more, their ability to damage a company’s bottom line seems to be escalating.

High-profile breaches like the Anthem breach in 2015 (80 million records) and the eBay breach in 2014 (145 million records) have captured the public’s attention; your customers are likely heading into 2016 far more aware of data breaches and their link to elevated identity theft risks than they were a few years ago.

This greater consumer awareness accounts for at least part of the cost of post-breach recovery for companies. The average data breach costs companies $6.5 million, according to the Ponemon Institute. In fact, the financial industry has one of the highest breach costs — $259 per record, making it third behind healthcare and pharma concerns, Ponemon reports. What’s more, financial institutions experience the highest level of post-data breach churn of any industry, coming in at 7.1%.

breaches-IN-image

To help financial institutions better understand data breach realities, risks and preventive measures, we’ve put together an infographic. You can download it here, learn more about how a data breach might affect your financial institution and what you can do to mitigate potential damages — including abnormal churn.

Paul Bjerk is a Fraud and Risk Products Leader with Shared Assessments Program member, Deluxe Corporation. Connect with Paul on LinkedIn.

Reposted with permission from Deluxe Blogs

Compliance Program Presents Th...

12-15-2015

In my house, the boys are getting excited anticipating the presents that are going to be under the Christmas tree. My figurative presents under the tree are some thoughts from the 2015 Privacy. Securi[...]

In my house, the boys are getting excited anticipating the presents that are going to be under the Christmas tree. My figurative presents under the tree are some thoughts from the 2015 Privacy. Security. Risk. (P.S.R.) conference presented by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). When you open these presents, you’ll find thoughts from Lockheed Martin, Microsoft, Acxiom and Hewlett-Packard to help improve your compliance program in 2016.

APPLYING RISK MANAGEMENT TECHNIQUES TO MANAGING PRIVACY
Jim Byrne, Chief Privacy Officer (CPO) and Associate General Counsel at Lockheed Martin; Brendon Lynch, CPO at Microsoft

At Lockheed Martin, Mr. Byrne takes a dual perspective on assessing risk, first examining risk from the customer’s perspective and then from the business perspective. This approach requires an intentional approach to compliance strategy, understanding and leveraging organizational structure and accountability, policy development, incident management, and privacy reviews. Specific components of privacy reviews that were highlighted were what constitutes a privacy review, the type of review an initiative needs, and how exceptions to the review process are handled.

The framework Lockheed Martin uses can be described as follows:

Governance

  • Corporate strategy and direction
  • Executive leadership aligned with corporate approach
  • Champions within business units ensuring operational alignment

Compliance

  • Approach to cross-border data transfers
  • Incident and breach management
  • Policy development and communication
  • Oversight

    • Privacy Impact Assessments
    • Application reviews
    • Process change management

    Integration

    • Vendor evaluation processes – Request for Proposals
    • Supply chain management
    • Outside counsel management and involvement
    • Mergers & Acquisitions

    Workforce Excellence

      Training and Awareness

    Mr. Lynch outlined Microsoft’s methodology to managing privacy. That approach is to score the likelihood of a risk having an organizational impact on a 1 to 5 scale and the potential impact of the risk on a 1 to 5 scale and multiplying them together to determine “inherent risk” on a 1 to 25 scale. This is then compared to the perceived level of control effectiveness that mitigates, monitors, and manages the risk. Each risk can then be plotted in an X-Y coordinate graph, with risks treatments as follows:

    • Tolerate: Inherent Risk score <10, Control Effectiveness <3
    • Operate: Inherent Risk score <10, Control Effectiveness >3
    • Monitor: Inherent Risk score >10, Control Effectiveness >3
    • Improve: Inherent Risk score >10, Control Effectiveness <3

    PRIVACY IMPACT ASSESSMENTS: SPEAKING THE BUSINESS LANGUAGE
    Sheila Colclasure, Privacy Officer at Acxiom; Scott Taylor, VP and CPO at Hewlett-Packard

    Ms. Colclasure and Mr. Taylor outlined a process by which compliance teams can increase the impact of their assessments of compliance risk. The foundation of this was as follows:

    Understand the Business Values

    • Corporate values as they relate to compliance
    • How the company wants to be seen to the public
    • Start with industry best practices
    • Comply with the law and align with company values
    • Base the assessment on the business model, not an off-the-shelf model
    • Understand the Privacy Office Objectives
  • Brand protection
  • Compliance
  • Sustainability of the privacy program
  • Understand the Business Objectives

    • Brand protection
    • Mitigating complexities
    • Simple
    • Fast
    • Easy and accessible

    Your assessment process and program need to serve as a business enabler for your operational teams to achieve their goals. The process needs to get to “Yes” in a timely manner, provide guidance that can be used to reach objectives, and deliver what the operational teams need to be effective. The process needs to invert the traditional perspective that compliance teams take and put business enablement ahead of pure compliance.

    FOUR AREAS TO EVALUATE TO SEE IF YOUR COMPLIANCE TEAM IS DRIVING THE IDENTIFIED VALUES:

    • Has the compliance team identified, socialized, and realized the business value of the assessment process?
    • Is the compliance team playing offense – proactively reaching out, espousing the benefits of using the process and the negative consequences of not using it – or playing defense?
    • Is the assessment process effectively positioned in the minds of the operational stakeholders?
    • Has your organization bought into the process, and is it effectively participating?

    These sessions reinforced for me the importance of a compliance team engaging productively with its partners within the business. In the New Year, you can evaluate the relationship they have with each other in your institution. Your input and leadership can help them find more effective ways to collaborate and be more effective. The increased strength of your compliance program from these efforts will be the present that keeps on giving throughout 2016.

    Brad Reimer, CIPP/US, is Manager, Privacy and Marketing Compliance at Deluxe Corporation. Brad has worked in privacy area as a compliance subject matter expert in operational, legal, IT, and governance roles, developing policies, procedures, tools, and governance structures to ensure efficient and effective operational alignment with regulatory requirements, industry best practices, and corporate policies. Connect with Brad on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Incident Response and Third Pa...

    12-09-2015

    Today, the Shared Assessments Program released a briefing paper titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper was developed[...]

    Today, the Shared Assessments Program released a briefing paper titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper was developed out of great necessity, as it became clear that Program members needed additional guidance when managing incidents at the service provider level. The goal of the paper is to offer a guide on effective third party incident management across three distinct stages:

    1. Pre-incident
    2. During the incident
    3. Post-incident

    Incident response has become a hot topic for organizations of all sizes as the level and sophistication of cyber attacks continues to increase. Additional requirements around the protection of data, as well as notification requirements, seem to be dominating the conversations with regulators and at the board of directors level. Although there is a significant trove of information available on incident management, the topic of incident management and response in relationship to a third party outsourcing agreement has been notably missing.

    Born as a project within the Shared Assessments Program’s Standardized Information Gathering (SIG) Development Committee, a group of industry thought leaders and contributors to the Shared Assessments Program who have experience in incident management at third parties, came together to develop the briefing paper. It represents a great effort by those involved and I expect the final product will help companies of all sizes better prepare for and manage monitoring their third parties’ incident event management programs. I would like to thank everyone who participated in the Third Party Incident Response Subcommittee in support of the paper.

    The next step is to determine the applicability of the information presented within the briefing paper to be included in the SIG itself or potentially as a separate Shared Assessments Program Tool. If you find the briefing paper interesting and choose to incorporate it into your organization’s best practices, I would love to hear about whether it was helpful, led to changes in your organization’s approach and/or if you believe improvements should be made to the paper. My organization, Prevalent, Inc., along with others on the Shared Assessments Program’s SIG Development Committee, hosted a webinar with more detail about this paper today and will make the webinar replay available within the coming weeks.

    Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., is the 2015 Shared Assessments Program Chair. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company

    To obtain a copy of the paper, click here.

    To view the webinar, click here.

    Please send comments on this subject to Jonathan Dambrot at blog@prevalent.net.

    Shared Assessments Program Pub...

    12-07-2015

    For Immediate Release MEDIA CONTACT: Sarah Perry, Senior Marketing Manager Santa Fe Group O: 602-441-1769 sarah@santa-fe-group.com Kathy Keller, Director, PR Protiviti O: 650-234-6252 kathy.kell[...]

    For Immediate Release

    MEDIA CONTACT:
    Sarah Perry, Senior Marketing Manager
    Santa Fe Group
    O: 602-441-1769
    sarah@santa-fe-group.com

    Kathy Keller, Director, PR
    Protiviti
    O: 650-234-6252
    kathy.keller@protiviti.com

    Shared Assessments Program Publishes New Best Practices Briefing Paper to Address Serious Need for Third Party Incident Management.

    Shared Assessments Program Chair, Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., to lead a December 9th webinar discussion with three of the authors of a new best practices briefing paper for effective incident event management.

    Santa Fe, NM – December 8, 2015 – Effective third party due diligence demands a higher level of review than is presently being performed by most organizations. Yet, coordinated and active vendor involvement is lacking in many outsourcing organizations’ incident event management programs. Even in the 43 percent of organizations that report a formal incident program is in place, only 9 percent of incident management professionals deem theirs to be “very effective” (SANS Institute, 2014). A new briefing paper by the Shared Assessments Program, developed in response to the need for improved third party incident response management, will be released on December 9, 2015 in conjunction with a complimentary webinar taking place at 8:00 a.m. (PST).

    Today’s incident response professionals are seeking to improve organizational analysis and reporting capacity by focusing on use of Security Information and Event Management (SIEM) tools. Shared Assessments is leading the way in determining best practice tools for planning and program development that will enable organizations to:

    • Establish and maintain a coherent, incident response program of planning, preparation, execution, reporting, and remediation control.
    • Improve outcomes through a higher level of preparation against increasingly inevitable incidents.
    • Better protect their reputation by having a mature response process that involves third parties.

    “We hope incident response professionals will take advantage of the best practices put forth in our new briefing paper and the insights that will be shared during our webinar,” said Dambrot, moderator of the webinar.

    The briefing paper, titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program, will be made available to those individuals who attend the December 9 webinar. Three of the paper’s co-authors, who are subject-matter experts in their respective fields, will serve as guest speakers during the 8:00 a.m. (PST) webinar. They are:

        Brenda Ward, Director of Global Security, Aetna.
        Rocco Grillo, Managing Director and Global Leader of Forensics and Incident Response, Protiviti.
        Ted Julian, Co-founder and Vice President of Product Management, Resilient Systems.

    With the evolving cyber threat environment, and the resulting regulatory scrutiny, companies need to ensure continually that their third party suppliers and business partners who are entrusted with all types of critical assets – often called a company’s ‘crown jewels’ are vigilant in protecting those assets. To this end, third party service providers must have their own mature incident response plans that are not only comprehensive but battle-tested as well,” said Grillo.

    The webinar presenters will discuss and outline a newly developed, robust risk management guide that provides a clean, consistent methodology for the assessment of incident preparedness, incident management and post incident recovery. The model contains a defined means for protecting data, consumers and the outsourcing relationship. Step-by-step guidelines can be tailored to each relationship depending on vendor type.

    To register for the one-hour webinar and then receive the briefing paper, please click here. The complimentary webinar is open to the general public.

    About Shared Assessments
    The Shared Assessments Program is the trusted source in global third party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures (AUP), Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM)), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The
    Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico. For more information on Shared Assessments, please visit https://sharedassessments.org.

    About Protiviti Inc.
    Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries, helping them solve problems on a wide range of critical business issues, including finance and transactions, operations, technology, litigation, governance, risk, and compliance.

    About Prevalent, Inc.
    Prevalent (www.prevalent.net) is a vendor risk management and cyber threat intelligence analytics innovator with a reputation for developing cutting-edge technologies and highly-automated services that are proven to help organizations reduce, manage and monitor the security threats and risks associated with third party vendors.

    ###

    Target Reaches Settlement with...

    12-03-2015

    Two years after the event the full cost of the Target breach is coming into sharper focus. In addition to a $900 million dollar revenue decline in the 4th quarter of 2013 (versus 2012), the loss of an[...]

    Two years after the event the full cost of the Target breach is coming into sharper focus. In addition to a $900 million dollar revenue decline in the 4th quarter of 2013 (versus 2012), the loss of any possible revenue growth in the 2013 holiday season, legal costs, etc., Target will pay MasterCard, Visa, and financial institutions more than $100 million dollars, as this BankInfoSecurity blog post notes….

    Click here to read the full article

    The Dangers of Forgotten Data...

    12-01-2015

    Just about every business works with masses of data every day, much of which is used and then filed away and forgotten. Gartner calls this forgotten data “dark data,” and defines it as “informat[...]

    Just about every business works with masses of data every day, much of which is used and then filed away and forgotten. Gartner calls this forgotten data “dark data,” and defines it as “information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes.”

    Forgotten data poses a serious security risk. In fact, Verizon’s 2008 Data Breach Investigations Report found that 66 percent of breaches involved forgotten data—data that companies do not even know is in their system.

    Forgotten data includes all sorts of information that hackers can potentially find on the deep web, including old reports and sales presentations, archived emails, outdated customer information, network log files, and metadata. Forgotten data also includes information that your company may store without realizing it, not only on PCs and thumb drives but also on devices such as:

    • Scanners
    • Printers
    • Photocopiers
    • Fax machines

    Take the 2012 Affinity Health Plan breach, for instance, in which the hard drives on several leased photocopiers contained confidential health information for more than 344,000 patients.

    Affinity failed to delete the forgotten data on the hard drives before returning the copiers to the leasing company. The result? Affinity was fined over $1.2 million by the U.S. Department of Health and Human Services (HHS).

    Five Steps to Protect Your Business

    What can companies do to protect themselves? Here are five steps you can get started on right now:

    1. Acknowledge the problem. Simply recognizing that forgotten data is out there and poses a potentially serious security risk is essential. Remember that acknowledgement is the first step towards recovery.
    2. Examine your data retention policies. Employees are typically data hoards and storage is inexpensive, which makes it tempting to hang onto massive amounts of data—until you consider what a breach of that data could cost you. Stored data could one day be the source of great insight or innovation, but ask yourself: Does the risk of storing the data outweigh the value of purging it? “Just in case” data could cost your organization tens of thousands of dollars (or more) in fines and lawsuits.
    3. Consider de-identifying or encrypting stored data. If the data must be retained, consider de-identifying or encrypting it. Encryption would make it more difficult for hackers to unlock the contents; and strong access controls and monitoring can limit any damage.
    4. Add forgotten data to your risk assessment process. As part of your risk assessment process, review your data storage policies and inventory the data you have gathered and continue to gather on legacy systems, email systems, backup tapes, content management systems, databases, and more.
    5. Examine your data disposal strategies. According to the 2015 Verizon Data Breach Investigation Report, nearly 12 percent of all miscellaneous errors that lead to a data breach are the result of insecure disposal of personal and medical data.
    6. If a data breach occurs, saying that your company did not know the data existed will not be an acceptable defense. That’s why it is critical to take those five steps now to find, protect, or dispose of all your data—including data that’s been long forgotten.

      Mahmood Sher-Jan is EVP and General Manager, RADAR Product Unit, at ID Experts. He brings over 25 years of experience in developing risk and fraud management, security, compliance, and data beach solutions.

      Originally posted on ID Experts blog. Reposted with permission.

    Shared Assessments 2015 – Bu...

    11-30-2015

    2015 at Shared Assessments was a year for building best practices and compliance awareness, continuing longitudinal third party risk management and assurance research and reporting and providing risk [...]

    2015 at Shared Assessments was a year for building best practices and compliance awareness, continuing longitudinal third party risk management and assurance research and reporting and providing risk professionals with development opportunities unique in the marketplace. Program efforts this year also reflect increased international focus, working with organizations with a global presence, as well as those headquartered overseas.

    In addition to increasing Shared Assessments membership from 121 in 2014 to 180 in 2015, additional highlights for the year include:

    • Providing vertical and sector specific roundtables and workshops to better understand the needs of our membership.
    • The launch of the Certified Third Party Risk Professional (CTPRP) designation, and additional training and educational resources for risk professionals.
    • Conducting our Eighth annual Shared Assessments Summit with a record turnout of 250 attendees.
    • Continued momentum on developing our Collaborative Onsite Assessments program and facilitation of additional financial services program pilots.
    • International expansion for the Shared Assessments Program, focused on growth into the UK and Asia-Pacific regions.
    • Shared Assessments Program Tools improvements and updates in response to changes in regulations, standards and guidelines at both the national and international level.

    2015 Shared Assessments Summit
    Our eighth annual Shared Assessments Summit was held April 29-30, 2015 in Baltimore, MD. A record 250 attendees participated in roundtables, discussions, workshops and presentations focused on the need in third party risk assurance. The Shared Assessments Summit has grown to be the leading third party risk assessment event for industries that include financial services, healthcare, retail, academia and energy. You can read more about the Shared Assessments Summit here.

    Collaborative Onsite Assessments
    The Shared Assessments Collaborative Onsite Assessment Project, leveraging the Shared Assessments Agreed Upon Procedures (AUP) as the common onsite risk assessment methodology, undertaken beginning in 2014 was continued with additional participants. The project has developed a standardized risk assessment tool to improve assessment-related economies and scalability for outsourcers and service providers. The study used the collective intelligence of several top-tier leading multi-national financial services industry institutions to inform the Program Tools at the most robust level. The Collaborative Onsite Assessments pilots have been met with enthusiasm at the highest levels among participants. Currently eight of the top 10 financial institutions have mapped their corporate requirements to the new AUP and signed off that it fully meets their expectations.

    International Expansion
    In 2015, the Shared Assessments Program began working towards expanding its international footprint. The Program is working with leaders in some of the most heavily-regulated foreign markets including the UK, and Asia-Pacific to involve them in building best practices for third party risk in their countries.

    Roundtables and Awareness Groups
    This past year, Shared Assessments Program members and other thought leaders convened, providing a venue for:

    • The Shared Assessments Regulatory Compliance Awareness Group that identifies emerging trends and needs for third party assessment tools for consumer protection, operational risk and regulatory compliance monitoring to identify recommendations for enhancements to program content and other needed deliverables. In 2016, this Awareness Group will seek to release a white paper titled, In-Tune Tone at the Top to Shape an Effective Risk Management Culture.
    • The Best Practices for Third Party Risk Management Awareness Group that discusses the challenges organizations face in managing third party risk and identifies existing best practices in use today, or seeks to develop new best practices to address those challenges. This Awareness Group will release two white papers in 2016 titled, Evolving Procurement in Third Party Risk Management and Onsite Assessment Best Practices Guideline.
    • In-person events to discuss collaboration and best practices for UK-based financial services organizations; law firms that service the financial services industry and leading healthcare and pharmaceutical organizations.

    2015 Studies and Papers

    • The results of the second annual Shared Assessments 2015 Vendor Risk Management Benchmark Study, sponsored by Protiviti, included additional analyses and insight into areas where a substantial number of respondents reported they have no process in place to support significant vendor risk component activities.
    • Law Firm Briefing Paper: The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution, with a focus on constructing a replicable process for evaluating client vendor relationship that employs governance modeling.
    • Collaborative Onsite Assessments Case Study: A Collaborative Approach to Onsite Assessments Using the Shared Assessments AUP, the Standardized Testing Procedures for Onsite Assessments, reporting on the successful Collaborative Onsite Assessments performed with financial services industry participants and a key industry third party.
    • Incident Response Briefing Paper: Due to release to Shared Assessments Program members on December 8 and to the public on December 9, the paper titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program examines and outlines a robust reference tool and practical third party risk assessment and monitoring recommendations for each phase of incident event management (pre, during and post incident). Members are encouraged to join a Shared Assessments webinar on December 9 to review the paper’s content with four of its creators: Jonathan Dambrot, CEO and Co-Founder, Prevalent Inc., Shared Assessments Program Chair; Brenda Ferraro, Director of Global Security, Aetna, Shared Assessments Steering Committee member; Rocco Grillo, Managing Director & Global Incident Response & Forensics Investigations, Protiviti, Inc., Shared Assessments Steering Committee member; and Ted Julian, Vice President, Product Management & Co-Founder, Resilient Systems. For more information and to register, please click here. The webinar is open to Shared Assessments members, as well as the general public.

    Shared Assessments Certified Third Party Risk Professional Certification
    Our Certified Third Party Risk Professional (CTPRP) Program has been a terrific success. In 2015, over 250 individuals received their CTPRP certification, improving their organization’s risk awareness and management capacity and their own professional standing. Earning the CTPRP designation shows proficiency in third party risk management concepts and principles. This includes managing the vendor lifecycle, vendor risk identification and rating and the fundamentals of third party risk assessment, monitoring and management. There is planned expansion of the CTPRP program in 2016 for additional online opportunities, at national universities and for in-person workshops educating third parties overseas.

    Updated 2016 Program Tools
    The Shared Assessments Program Tools help organizations create sustainable, organization-wide efficiencies in today’s high risk environment. The Program Tools are: the Standardized Information Gathering (SIG) questionnaire; the Shared Assessments Agreed Upon Procedures (AUP), a tool for standardized onsite assessments; and the Vendor Risk Management Maturity Model (VRMMM). The updated Shared Assessments Program Tools will be released in early 2016. These assessment tools serve organizations as they meet the recent surge in regulatory, consumer and business scrutiny alongside rapidly increasing threats and vulnerabilities, including those posed by third party service providers.

    The Program Tools have been updated with focus on business continuity and resiliency, operational risk as it relates to information security, ensuring adequate controls to prevent Denial of Service (DoS) attacks, and the addition of maturity ranking. Among the industry standards, regulations and guidance the Program Tools currently align to include:

    • US financial services and healthcare regulations and standards and guidance, including: FFIEC Appendix J and OCC-2013-29; Merchant Processing Handbook; Healthcare Regulatory Guidance and Standards: HIPAA Incident Response Reporting Procedures.
    • Other pertinent US governmental guidance and standards in all industries for federal and/or state agencies, including: NIST Cybersecurity Framework (CSF); Computer Security Incident Handling Guide (NIST.SP.800-61r2); Title 21 of the Code of Federal Regulations (CFR) Part 11 Section 11.1 (a); DOJ Breach Procedures; US CERT – Federal Incident Notification Guidelines.
    • US-based national and international standards: AICPA Incident Response Procedures; COBIT; Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); ISO 27001, 27002; PCI-DSS.
    • International standards, including UK Cyber Essentials Scheme and EU Data Protection Directive.

    Mapping is underway to ensure we further align to:

    • Asia – Pacific – Japan (APJ): Asia-Pacific Economic Cooperation (APEC): Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines; Australian Prudential Regulatory Authority (APRA); Hong Kong Monetary Authority (HKMA); Monitory Authority of Singapore (MAS).
    • Europe: EU – European Central Bank (ECB); Germany – Bundesbank/Central Bank of Germany (BuBA), German Federal Financial Supervisory Authority (BaFIN); Luxembourg – Commission de Surveillance du Secteur Financier (CSSF); Switzerland – Financial Market Supervision Act (FINMA); UK – Financial Conduct Authority (FCA); Financial Services Authority (FSA); Prudential Regulation Authority (PRA) Rulebook.

    What Else is on the Horizon for 2016?
    Shared Assessments 2016 initiatives respond directly to the dynamic landscape of third party risk management by addressing the increased need for direct board involvement, compliance awareness and research and education opportunities for risk professionals to inform and support establishment and refinement of best practices within and across verticals.

    The Shared Assessments Program will be convening and/or participating in the following industry roundtables, as well as developing those in other relevant sectors:

    • Financial Institution Roundtable – January 2016
    • International Singapore APAC – February 2016
    • Asset Management Roundtable – March 2016
    • 2016 Shared Assessments Summit – May 16-20, 2016.
    • 2016 Shared Assessments Conferences with is planned for London and Singapore.

    The Program will be releasing several original and highly-influential papers at the end of the year and into 2016, which include:

    • A research project, conducted with the Ponemon Institute, exploring risk management practices related to cybersecurity and third party risk.
    • A Guided Assessment – Shared Assessments Working Group: Onsite Assessment Best Practices Guidelines, created by the Shared Assessments Best Practices for Third Party Risk Management & Assurance Awareness Group, with best practice assessment and scoping guidelines that are practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope.
    • The 2016 annual Vendor Risk Management Benchmark Study, sponsored by Protiviti.

    And, the full Shared Assessments Collaborative Onsite Assessments Program will roll out in 2016. Learn how you can review the testing procedures outlined in the Shared Assessments AUP and participate in the Program by contacting Charlie Miller, Senior Vice President, The Santa Fe Group and Shared Assessments Program, at charlie@santa-fe-group.com.

    The Shared Assessments Program continues to provide a professional platform for examining and resolving critical issues as they emerge in the evolving third party risk landscape, including managing for risk rather than compliance, optimizing third party risk mitigation and leveraging resilience to ensure positive outcomes. Members can sign up to participate in 2016 initiatives by completing the “request to participate.” For more information about each activity and to sign up, click here.

    Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group and the Shared Assessments Program. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, Advisory Board, Steering Committee and working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.

    Webinar: Building Best Practic...

    11-26-2015

    Building Best Practices for Monitoring Third Party Incident Event Management Programs - Presented by Protiviti and Shared Assessments Effective third party due diligence demands a higher level of re[...]

    Building Best Practices for Monitoring Third Party Incident Event Management Programs – Presented by Protiviti and Shared Assessments

    Effective third party due diligence demands a higher level of review than is presently being performed. Coordinated and active vendor involvement is lacking in many outsourcing organizations’ incident event management programs. In fact, a mere 9% of incident management professionals deem their program to be “very effective” (SANS Institute, 2014).

    Join this webinar with our expert panel for planning and program development that will help organizations:

    • Establish and maintain a coherent incident response program that involves third parties.
    • Improve outcomes through a higher level of preparation.
    • Better protect their reputation with a more mature response process.

    Speakers:

    • Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., Shared Assessments Program Chair (Moderator)
    • Rocco Grillo, Managing Director & Global Incident Response & Forensics Investigations, Protiviti, Inc., Shared Assessments Steering Committee member (Panelist)
    • Ted Julian, Vice President, Product Management & Co-Founder, Resilient Systems (Panelist)
    • Brenda (Ward) Ferraro, Director of Global Security, Aetna, Shared Assessments Steering Committee member (Panelist)

    Register Now

    Starwood Breach Not Isolated...

    11-23-2015

    Tracy Kitten, Executive Editor for Bank Info Security, today released an article about the recent Starwood breach. In the article, Tracy discusses how this incident may not be isolated and that "fra[...]

    Tracy Kitten, Executive Editor for Bank Info Security, today released an article about the recent Starwood breach.

    In the article, Tracy discusses how this incident may not be isolated and that “fraud patterns indicate that another, perhaps larger, breach is impacting cards across the country”

    Click here to read the full article.

    Are You Effectively Managing Y...

    11-20-2015

    By Susan Eilefson, Deluxe Corporation Reposted with permission. Originally posted on Deluxe Blogs. As the Compliance Enablement Documentation Specialist in the Business Risk & Compliance Department [...]

    By Susan Eilefson, Deluxe Corporation
    Reposted with permission. Originally posted on Deluxe Blogs.

    As the Compliance Enablement Documentation Specialist in the Business Risk & Compliance Department at Deluxe Corporation, one of my key responsibilities is to ensure that all of our documentation will stand the scrutiny of external auditors. All departmental documentation – written policies, procedures, compliance overviews, executive summaries, etc., – must be properly written, reviewed, and updated in order to ensure that we’ll satisfy auditors’ requests, thereby eliminating the need for remediation. In general, our documentation must speak to our compliance programs and provide evidence that we are compliant with applicable laws, regulations, and program requirements.

    Any corporation that provides products and services that are heavily regulated should be very concerned with effectively managing its compliance documentation no matter what the segment: healthcare, consumer protection, identity theft prevention, Internet compliance, etc. I have compiled a list of five tips, aka “best practices,” for ensuring that my department’s documentation is able to weather the external auditing storm.

    USE TEMPLATES/STANDARD FORMATTING

    Take the guesswork out of drafting these important documents! Create standard templates to use for all departmental policies, procedures, processes, guidelines, compliance overviews, etc. This will ensure that the right content is included in each type of document in a consistent manner. This is especially important if you have multiple individuals writing your documentation.

    MAKE SURE YOUR DOCUMENTS ARE ACCESSIBLE

    It shouldn’t be difficult for your employees to access important documentation! Create a master list of all documentation with the path to where it is located on either the team shared drive, a SharePoint site, or in your company’s electronic documentation management system. Document accessibility will greatly reduce time and frustration during onsite audits for your employees to provide auditors with the documents they are requesting.

    STAY ON TOP OF YOUR DOCUMENT REVIEW CYCLE

    Ensure that your documents are being reviewed on an annual, or more frequent, basis! There is nothing worse than presenting outdated documentation to an auditor. You can prevent this by creating a departmental documentation review calendar which will ensure that all of your critical compliance documentation is reviewed and updated on a pre-determined schedule. Use your electronic documentation management system, or appointed compliance documentation manager, to send out notification emails and monitor the document review process.

    CREATE CLEAR AND USER-FOCUSED DOCUMENTATION

    Make sure that your compliance documentation is straightforward and easy to understand! Confusing policies, procedures, and overviews will only open the door for questions during an audit and the need for remediation. It is also crucially important that your documentation aligns with what your employees are actually doing. If your documentation says one thing, and your subject matter experts (SMEs) say another, this is a huge red flag for an auditor.

    ENSURE THAT YOUR DOCUMENTATION IS ACCURATE

    Always, always, always check all of the content in your documentation for accuracy when you are performing a review! Make sure that all SMEs have had a chance to review the documentation to ensure that the information is still current and relevant. Don’t risk inaccuracy for the sake of efficiency. It is better to prolong the publication of a critical document than to push it out with inaccurate content.

    In today’s heavily regulated, audit-focused climate, it is more important than ever to ensure that your company’s compliance documentation is ready for the strict scrutiny it will certainly endure. It is no longer okay to adopt a “hope for the best and cope with the rest” approach to audits. Auditors are expecting more detailed, consistent compliance documentation from all industries – financial, health care, pharmaceuticals, and the list goes on. By following the above five simple tips, you can help to ensure that your company passes its next audit with flying colors!

    Practical Vendor Management to...

    11-16-2015

    The Santa Fe Group Senior Vice President, Charlie Miller, recently participated on the Truste webinar, Practical Vendor Management to Minimize Compliance Risks Webinar Description Organizations will [...]

    The Santa Fe Group Senior Vice President, Charlie Miller, recently participated on the Truste webinar, Practical Vendor Management to Minimize Compliance Risks

    Webinar Description
    Organizations will be judged by the company they keep. Don’t let third parties off the hook, when your data privacy compliance is at risk. While third parties come through breaches unscathed, organizations from often pay a high price for public incidents linked to vulnerabilities that vendors introduce.

    When considering privacy management for your organization, it’s also essential to factor in the risk you take on when contracting with an outside vendor. If a vendor is found to be in violation of privacy regulations, best practices or simply aren’t following their own privacy policies, you could face repercussions along with that company. Organizations should conduct a thorough privacy risk assessment with a potential vendor before working with them, and continue to monitor privacy compliance with all vendors on a regular basis.

    The Webinar reviewed how to identify key considerations, requirements and risks when dealing with downstream vendors and priorities for effective program management.

    To view the recording, click here
    To view the slides, click here

    Click the following links for: further details of the Shared Assessments 2015 Vendor Risk Management Benchmarking and the Shared Assessments Collaborative Onsite Assessments case study.

    Bend, But Don’t Break: How t...

    11-12-2015

    By Elena Ames, Deluxe Corporation Reposted with Permission. Originally posted on Deluxe Blogs. Last week, my colleague Brad Reimer posted a great privacy blog on his recent attendance at the 2015 Pri[...]

    By Elena Ames, Deluxe Corporation
    Reposted with Permission. Originally posted on Deluxe Blogs.

    Last week, my colleague Brad Reimer posted a great privacy blog on his recent attendance at the 2015 Privacy. Security. Risk. (P.S.R.) IAPP conference. Protecting sensitive information has been a key topic this year for many organizations across the globe. A few months ago, I had the great opportunity to visit Toronto, Canada, and network with other privacy professionals at the IAPP Canada Privacy Symposium. We sat together for three days, sharing knowledge and creating strategies. One universal topic we discussed concerned all of the breaches occurring around us. They affect us all. They can impact one person or tens of millions. Data breaches exploit known or unknown vulnerabilities in systems, including humans that run or access them. Breaches are generally the result of a series of events and many have a technological component. And, often, they could have been prevented!

    WHAT CAN A COMPANY DO TO PREVENT A BREACH?

    Companies should learn from each other, from other privacy breaches. They should consider if there were internal or external threats, or missing, incomplete or un-followed policies or procedures. There are many excellent reports available on frequently seen vulnerabilities from Verizon, Microsoft, Symantec, and many others, including government reports on audits.

    The Office of the Privacy Commissioner of Canada gives advice on how companies can safeguard their data at the enterprise level:

  • Have a governance structure in place: CPO, DSO, CISO, CIO, and BCP working together with the support of all executives to achieve the organization’s objectives.
  • Ensure that all employees understand roles and responsibilities and that this can be achieved through training.
  • Have a compliance program with policies and procedures.
  • Use risk assessment to address any organizational changes, implementation of new services and products, or changes into the systems.
    • KNOW THE DATA AND EXACTLY WHAT IT IS TRYING TO PROTECT

  • What data do you have?
  • Is it sensitive?
  • Where is it located?
  • How is it being protected?
  • Where are the customers? (this will impact the law you need to follow)
  • Do you even need the data?
  • Do you still need the data after thinking through all these questions? If so, then limit retention and destroy what is not needed.
    • EVERY COMPANY SHOULD PLAN TO MINIMIZE THE IMPACT OF PRIVACY BREACHES

      • Have access to a trained multi-disciplinary response team with clear roles and responsibilities.
      • Make sure outsourced providers have the same level of understanding of what a breach is and what the appropriate response is.
      • Review all security policies.
      • If a breach does happen, a company’s goal should be to minimize the impacts on affected individuals and re-establish the trust. My colleagues and I agree that the more transparent a company is about what it is doing, the faster it will gain back the trust of its customers and reputation.

    Building Breach Resistance in ...

    11-10-2015

    According to the Ponemon Institute’s 2014 Global Report on the Cost of Cybercrime, a quarter of organizations worldwide fail to meet their own security requirements. If your organization is one of t[...]

    According to the Ponemon Institute’s 2014 Global Report on the Cost of Cybercrime, a quarter of organizations worldwide fail to meet their own security requirements. If your organization is one of that 25 percent, given the surging rate of cybercrime, you are probably hurrying to ramp up privacy and information security programs, staff, and budget. If yours is one of the 75 percent that does meet its own requirements, take a moment to congratulate yourself—just a moment—and then think about all your business partners, third-party service vendors, and suppliers. If 25 percent of them are not meeting their own security requirements, what are the chances they’re meeting yours?

    In the previous article in this series, we discussed the fact that human error is often the weak link that leaves organizations vulnerable to cybercrime, and we looked at ways to build breach resistance in the organization. But your partners and suppliers can also make mistakes or simply have poor security practices. As Rocco Grillo, managing director at consulting firm Protiviti says, “You can have all the security in the world inside your company’s four walls, but all it takes is a compromise at one third-party vendor that’s connected to you [to create] a bridge directly into your organization.” In fact, Protiviti’s 2015 Vendor Risk Management Benchmark Study found that, on a scale of 1 to 5, organizations rate an average of 2.8 on the maturity of their vendor risk management practices. That leaves a lot of room to improve breach resistance in your business ecosystem. Let’s look at some of the things you can do.

    Make Requirements Clear
    Depending on your industry, there may be a long list or a whole network of regulations governing privacy and information security practices, and some—the Health Insurance Portability and Accountability Act (HIPAA), ICO 27001/2, the Consumer Financial Protection Bureau (CFPB) regulations, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, among others—have specific requirements for working with third-parties. But some of your vendors may not be in your industry, may not know the regulations, or have no idea the requirements apply to them. So the first step in managing third-party risk is to make sure your third parties know what is expected of them.

    Defining requirements can begin with vendor selection. Before choosing a vendor for any service that has access to information (anything from cloud computing and data processing to a temp agency or an HVAC company or janitorial service that sends staff to your facilities), bring together the hiring department and stakeholders, privacy and security staff, and the responsible purchasing or HR person to identify the information risks associated with that vendor and to build security requirements into the screening and hiring process. Once the vendor is selected, carry those security and privacy requirements into the contract, wherever possible quantifying them with performance-based contract provisions such as service-level agreements (SLAs), key performance indicators (KPIs), or key risk indicators (KRIs). Cyber attorney Sean Hoar, partner at Davis Wright Tremaine LLP, says you should require third parties to commit to following commercially reasonable practices. “If the primary party [your organization] has a best practice framework it follows, that framework may be used as the standard to be followed by the third party, and it can be incorporated into the contract. If I am counseling the primary party, I would also recommend the inclusion of an indemnification provision wherein the third party indemnifies the primary party for any compromise of its system up to the value of data or likely harm that might result if the third party service is compromised. This provides a significant incentive for the third party to increase and sustain a healthy security posture. The indemnification provision should be backed up with sufficient cyber liability insurance coverage and the primary party should be listed as an ‘additional insured’ on the policy.”

    Favor Certified Vendors
    In some fields, vendors may be able to offer you an additional level of assurance through security certifications. For example, the Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits. The Global Information Assurance Certification (GIAC) offers cybersecurity certification in a number of areas, from mobile device management to industrial controller systems, and the International Information System Security Certification Consortium, Inc. (ISC)² offers the Certified Information Systems Security Professional (CISSP) certification, with specializations in areas such as architecture, engineering, and management. Individual technology vendors, from Microsoft, IBM, and Intel to Cisco and Symantec, also offer certifications for their technologies. Look for potential partners who have support staff with security certifications relevant to your business.

    The Shared Assessments Program, a consortium of leading financial companies and key service providers also offers tools and resources for conducting vendor risk assessments. Screening potential third-party vendors for security and privacy programs and practices should be a standard part of vendor selection, but industry specific certifications and risk assessment provide additional assurance that your vendor will be able to meet your security needs.

    Help Your Partners to Protect You
    Your vendors want to protect their relationship with you, and they don’t want to become party to legal action or penalties resulting from a breach, so they should be eager to partner with you in protecting your information. You can help them in a variety of ways:

    Train them in your security practices by including key vendor personnel in your training programs and by empowering them to train their own staff.

    • Provide clear communication channels and schedule regular check-ins to discuss privacy and security processes and review key indicators.
    • Make sure that there is a well-defined process for escalating privacy and security-related incidents, and that all relevant staff within both organizations know it. Run periodic drills to make sure it is working.
    • Include your vendor’s staff in security awareness programs to warn them of emerging threats and help them build resistance to phishing, visual hacking, and other kinds of attacks that may compromise their system security and yours.
    • Require them to periodically review and report to you on security programs with their own vendors and on cloud app usage within their organizations. (A new study from Skyhigh Networks shows that the average organization is using over 10 times more cloud services than the IT organization knows about. If you add up the “shadow services” that your organization is probably using and the ones that all your vendors are using, that could be a massive security hole.)

    Hold Them Accountable
    Defining security requirements for vendors is important, but it’s not much use if you don’t monitor to make sure the requirements are being met. According to the Protiviti study, the category Tools, Measurement, and Analysis is one of the weakest areas in most organizations’ vendor risk management (2.4 out of 5), and most don’t allocate enough resources for vendor risk management activities. You need to allocate people, time, and resources to track security performance indicators with your vendors and to address issues if they are not being met. And if you are ending the business relationship with a vendor, whether due to performance or because the business need has changed, you also need to allocate resources to make sure your data is securely and completely removed from their systems.

    If there is a security incident or breach due to third-party error or negligence, Hoar says that your remedies will primarily be contractual. “This is why it is important to conduct due diligence up front on third-party providers, draft indemnification clauses into every third-party service contract, and ensure that the indemnification is backed up by cyber liability insurance coverage which equates to at least the value of data processed, transmitted or stored by the third party service.”

    In this age of interconnected systems, outsourced business processes—and software, applications, and infrastructure as services—businesses depend on a whole ecosystem of third parties to stay agile and competitive. As with any other ecosystem, the denizens of your business community can flourish or fail together, so you and your business partners and suppliers have a vested interest in protecting one another from the predations of cybercrime. With good communication, collaboration, and proactive oversight, you can.

    Originally posted on the ID Experts Blog. Reposted with permission.

    Jeremy Henley is the director of breach services for ID Experts. Henley has direct oversight for all breach incident management services. He has been certified by the Healthcare Compliance Association for Healthcare Privacy and Compliance and brings more than a dozen years of sales, consulting and leadership experience to the ID Experts team. He is responsible for establishing and maintaining relationships with insurance carriers offering cyber and privacy liability coverage and works with insurance brokers and risk managers to minimize the risks of breach.

    Privacy. Security. Risk. 2015:...

    11-04-2015

    By Brad Reimer, Deluxe Corporation Reposted with permission. Originally posted on Deluxe Blog I recently attended the 2015 Privacy. Security. Risk. (P.S.R.) conference presented by the International [...]

    By Brad Reimer, Deluxe Corporation
    Reposted with permission. Originally posted on Deluxe Blog

    I recently attended the 2015 Privacy. Security. Risk. (P.S.R.) conference presented by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). The keynote speakers offered good reminders about the ongoing duel that privacy and security professionals face in protecting sensitive information from those who would use it for ill-gotten gain. They also highlighted a duel that I hadn’t given much consideration. There are some key learnings from both duels.

    Kristin Lovejoy, President of Acuity Solutions, highlighted the concept that if organizations were human beings, they would all be infected with security issues. IBM statistics indicate that an average company with 15,000 employees looks at 1.7 million security events a week with 324 events initiated by “motivated” attackers. Even if your institution is not that large, the reality is that there is an ongoing and present infection in your organization. Based on the IBM findings, you have to fight the infection on two fronts: making sure your people don’t negatively impact the health of your security and privacy programs and ensuring that malicious attacks from the outside don’t compromise the system.

    Brian Krebs, Investigative Journalist and Cybersecurity Expert, highlighted some of his experiences and findings related to security. He specifically called out the fact that common practices for customer authentication using readily available information – date of birth, address, Social Security number – and knowledge-based challenge questions make customers more vulnerable. That information can easily be bought or accessed on the Internet, and he illustrated to the attendees at P.S.R. how this can be accomplished. He used that as the basis to discuss instances when the Internal Revenue Service and Social Security Administration were compromised and fraudulent returns and claims were submitted through online authentication mechanisms.

    The other point that Lovejoy, Krebs, and Arthur Coviello, Jr. highlighted in the keynotes was the tension between security work and privacy work. Lovejoy stated that security and privacy professionals need to be honest about some of the inherent conflicts in their roles. In order to provide better security, more information needs to be collected and understood. This violates the privacy principle of only collecting the minimum necessary amount and creates a richer, more valuable set of data to be defended. Krebs echoed this sentiment, stating that “Better verification requires collecting more information and increasing privacy risk.”

    There were some key takeaways to consider when evaluating how your institution protects sensitive personal information:

    FLEXIBLE CONTROLS

    Killjoy suggested that you consider a flexible approach to security controls based on risk. Her opinion was that most organizations standardize one set of rigorous controls and then force everyone to conform to those controls. The problem with this approach is that employees will find ways around the controls to get done what they need to get done. The alternative she proposed was to loosen the controls based on access to sensitive information – individuals with no access to sensitive information should have the loosest controls and oversight while super users or master system administrators should have the most rigorous.

    NEW AUTHENTICATION METHODS

    Krebs’ presentation called out the need to move beyond information that is readily available online or that can be reasonably inferred from various sources. It was apparent that assessing the use of this type of information needs to be evaluated. Personally, when I choose knowledge-based questions for self-authentication, I pick the ones that I feel are the least likely for someone to know, e.g., “What was the first name of your prom date?”

    TERMINATION PROCEDURES

    Krebs also pointed out the need to make sure that employee and contractor terminations include a rigorous process to ensure systems access is removed when no longer necessary. I would also expand this to include that the interactions between systems and software programs access is removed and managed when they are retired or their role is changed.

    TRACK INNOVATION

    Killjoy and Jean Yang, Assistant Professor at Carnegie Mellon University’s School of Computer Science, reminded attendees to keep abreast of innovation. Killjoy discussed how machine learning can be used to help develop more secure software. By providing a computer with an abundance of examples of “secure” software and applying machine learning techniques, the computer can then identify software code that is not secure without the need for a human to review the code. Yang also discussed the methodologies that she used when developing the Jeeves programming language that automatically incorporated security controls during development.

    HEALTHY SECURITY/PRIVACY RELATIONSHIPS

    The other area that was highlighted was the need to ensure that your institution’s privacy and security functions have a healthy working relationship. They need to understand what data is necessary to provide robust authentication based on the institution’s risk appetite and the best ways to balance both the need to keep information about account holders private while having the information available to authenticate the user.

    Protecting sensitive information in your institution is a duel that goes on every day. Your privacy and security teams need to make sure they are working on their form, study their environment, and keep thinking of new approaches and defenses. They also need to be aware of the potential damage they can do if they are dueling each other.

    One of the duels is very public, conjuring images of the Musketeers fighting Cardinal Richelieu’s forces in the streets. The other is very subtle and hidden, conjuring images of back alleys, dark nights, and isolated corridors. The first is one your institution must fight intensely. The second is one your institution must prevent by ensuring a healthy and beneficial partnership.

    Building Your Breach Resistanc...

    11-02-2015

    By Doug Pollack, ID Experts Originally posted on the ID Experts blog. Reposted with permission. Cyber-attacks and the resulting data breaches are all over the headlines. Just this year, we’ve seen [...]

    By Doug Pollack, ID Experts
    Originally posted on the ID Experts blog. Reposted with permission
    .

    Cyber-attacks and the resulting data breaches are all over the headlines. Just this year, we’ve seen the Anthem breach (80 million individuals affected), a billion-dollar cyber-heist that affected up to 100 banks worldwide, the OPM data breach (21.5 million people affected), and the Ashley Madison breach (37 million people affected). In October 2015 alone (National Cyber Awareness Month, no less), we’ve seen breaches at Scottrade (4.5 million individuals affected) and a data breach at credit-reporting service Experian that affected as many as 15 million T-Mobile customers. Cyber-attackers exploited various methods—viruses, malware, etc.—to grab information from these organizations, but a common thread running through the majority of major breaches is human error, often people being fooled into giving thieves back door access into critical information systems. The Anthem breach and the bank heist are thought to have originated with phishing attacks against employees. According to Wired, Ashley Madison hasn’t released the cause of its breach, saying only that it was not due to a software vulnerability, fueling speculation that it was perpetrated or enabled through the credentials of a current or former employee. The causes of the Scottrade and Experian breaches are under investigation. (In 2014, security reporter Brian Krebs reported how a unit within Experian had been tricked into selling personal and financial records on more than 200 million Americans to an “identity theft service”—a supplier to cyber-thieves—operating out of Vietnam.)

    The point is that, while cyber-attackers are becoming ever more sophisticated at stealing information from business systems, gaining entry into those systems is relatively easy because employees, vendors, and sometimes customers are not very sophisticated at keeping them secure. You can’t stop mistakes and you can’t stop breaches 100 percent of the time, but you can teach breach resistance, and that will keep more of your data safe, more of the time. Let’s look at some of the basic security concepts and practices your employees, users, and customers need to know.

    Basic Hygiene
    The foundation of a breach-resistant user base is a culture of security: not just periodic training, but ongoing communication about threats, risks, and best practices. Brian Contos, chief security strategist for Norse, says that building security consciousness takes collective effort. In a recent Dark Matters article, he says that annual security training tends to be viewed as compulsory rather than an opportunity to learn useful information. He recommends holding frequent, interactive training to educate the workforce on current threats and defense tactics, and which includes executives, management, and employees together to share experiences and help educate each other. Your customers can also be an unwitting source of data breaches if they share information in the wrong places, so consider sharing security tips in a customer newsletter or other customer communications.

    Awareness programs should also promote basic security hygiene reinforced with ongoing information about new threats and the consequences of poor security practices. At a minimum, every user needs to know that data theft and cyber-attacks are a daily concern, and that what they do in their personal lives can affect their privacy and financial well-being, as well as the organization’s.

    No Phishing
    Phishing, especially targeted, or “spear” phishing is typically the first stage in a multi-stage cyber-attack and, as noted above, successful phishing has initiated a number of major breaches in recent months. But you can fight back: a recent Ponemon Institute study found that phishing training led to employee click rates on phishing email being reduced an average of 64 percent. Several companies (including Wombat Technologies, which sponsored the Ponemon Study) offer phishing training, but here are some basic tips from US-CERT that every user should know.

    • Don’t open unsolicited emails, click on links, or open attachments in unsolicited emails.
    • Be suspicious of claims that are too good to be true. Typical examples are weight loss claims, sexual enhancement claims, and people claiming to want to give you large sums of money. (Initially, so many of this last type originated in Nigeria that they were dubbed “Nigerian 419” frauds, after a section of the Nigerian penal code.) These are often easy to spot because of poor spelling, wrongly used legal terms, and other mistakes.
    • Be careful in responding to or providing information in response to unsolicited emails from banks, the IRS, or other organizations, and don’t fall for scare tactics. Anyone you deal with already knows your name, your bank account number, your medical ID number, etc. They won’t call asking you to “confirm” it. Links in these emails often lead users to spoofed websites that look legit but are designed to collect personal information from unsuspecting users. If users aren’t sure about an email, they can look up a number (it’s usually on the back of a credit card or ID card), and call the organization directly to check whether the email is legit.
    • Phishing also happens on social media, so warn users not to share personal information with someone they don’t know in real life, and if they receive an unusual communication that seems to be from someone they know, call that person and check it out.

    Phishing attacks can come through external devices, but for internal networks, you can supplement user awareness programs and minimize user exposure to phishing attacks and with solutions such as filtering technologies; blocking images, links, and attachments; and email authentication.

    Mobile Safety
    A CSO Magazine article called mobile devices the “holy grail” for hackers seeking to breach an organization’s security perimeter, and noted that “Small and midsize businesses face higher risks because they’re often not able to keep up with BYOD policies, and threats can change every three to six months.” With mobile devices, many people are now online virtually every waking hour, giving cyber-attackers 24/7 access to mount phishing attacks and deliver malware that can attack business networks from inside when the user logs in with a mobile device.

    Employees need to understand that their personal mobile devices face the same threats as any other computer. IT Departments need to conduct ongoing training and enforce mobile security best practices and habits among employees in order to keep their mobile devices secure:

    • Always install OS and other updates with security patches promptly.
    • If you bring your own devices to work, run security software on them.
    • Don’t download apps from non-trusted sources. (As of October 7, 2015, mobile security site Spreitzenbarth listed over 180 malware families found in Android apps, and, although Apple screens apps going into its App store, the XcodeGhost malware is being found in a growing number of iOS apps.)
    • Avoid storing business data on personal devices.
    • Don’t share a device used at work with a friend or family member. Installing apps is easy, and kids don’t think twice about downloading any app that looks appealing. A number of the malware-infected iOS apps are children’s games, and of course, they are mostly free.

    Stop Visual Hacking
    Visual hacking is exactly what it sounds like: people stealing information by looking at private information on a screen or on paper or by watching someone enter it on a computing device. We’ve all been warned to make sure no one is watching when entering our PIN at an ATM. But “shoulder surfing” isn’t limited to ATMs, and it can happen in public or in the workplace. In a study sponsored by manufacturer 3M, Ponemon Institute found that nearly half of visual hacking attempts were successful, and in 88 percent of trials, a white-hat hacker posing as a legitimate visitor was able to infiltrate a workplace and obtain sensitive information because it was left in plain sight. In 70 percent of the trials, office workers didn’t even confront the hacker looking at sensitive information, and in only one out of 30 trials did a worker report the suspicious activity to a supervisor or manager.

    To combat visual hacking, users need to be trained to be aware of their surroundings, to minimize exposure, for example, by working with their backs to the wall when in public areas, to use lock screens and secure work areas when leaving their desks, and to report suspicious activity right away. 3M also recommends using privacy filters that allow only the user directly in front to see what’s on a computer or device screen. (3M is one of several manufacturers of privacy filters.)

    No Foolproof Solutions
    Information security is costly. In July 2015, Michael Brown, CEO at Symantec, told CSO Magazine, “The demand for the [cybersecurity] workforce is expected to rise to 6 million [globally] by 2019, with a projected shortfall of 1.5 million.” The article also cited a Dice report that found the average annual salary for an infosec engineer is higher than the average CSO salary. Not every organization can afford dedicated infosec staff, and security and privacy decision-makers have to consider the costs and benefits of new security products and services, from data analytics to threat intelligence.

    But the bottom line is that, regardless of your security and privacy budget, all the experts and technology in the world won’t protect your organization’s information if the rest of the staff and users leave the door wide open to cyber-attackers and thieves. Your immediate best investment is to turn every person who deals with your systems into a security person. (The Ponemon Institute study found a 50x ROI on security training against phishing.)

    As cyber-security expert Vince Crisler pointed out in a Dark Matters article, “To ‘win’ in cyber security, defense must be right 100 percent of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose.” But if you can stem the tide of user mistakes, if you can build breach resistance into your workforce, your business partners, and your customers, you’ll lose less information and less often. You can start today with your staff and customers. In the next installment of this series, we’ll talk about ways to build breach resistance in your vendors and business partners.

    As chief strategy and marketing officer, Doug Pollack, ID Experts, is responsible for the strategic direction and marketing of our innovative software and services. He has over 25 years of experience in the technology industry, having held senior management and marketing roles with Apple, Inc., 3Com Corporation as well as several venture-backed enterprise software startups. He holds a BS in Electrical Engineering from Cornell University and an MBA from the Stanford Graduate School of Business.

    EMA and Prevalent Publish Info...

    10-29-2015

    This week, Prevalent published an infographic developed by analyst firm EMA focused on vendor threat management. The infographic starts with a simple question ‘Do We Need Vendor Threat Management?[...]

    This week, Prevalent published an infographic developed by analyst firm EMA focused on vendor threat management.

    The infographic starts with a simple question ‘Do We Need Vendor Threat Management?’ It highlights a senior executive speaking with a team member asking whether his organization is prepared to take on third-party risk. The team member answers that they are not, but neither are 92% of other organizations. The simple fact that EMA’s research identifies most companies are not prepared for 3rd party risk management is indicative of overall cyber risk preparedness given the trends in outsourcing, the use of the cloud, and managed services.

    The next scene is set in the board room with the same executive asking about whether the company is monitoring vendors who have access to business resources. These vendors include: IT firms, accounting firms, law firms, insurance firms, and others. The team in the room starts to identify key statistics about the state of 3rd party risk management in an effort to help the executive understand where things stand. Some of the highlights include:

    • 63% of breaches were tied to third-party IT providers.
    • 38% of organizations prioritize security investments based on risk or impact to overall business strategy.
    • 64% of organizations do not conduct regular security audits.

    The third scene has the executive discussing how other organizations have been impacted by third-party breaches as well as whether this was a must for the business. In addition to the risks identified in the board room and detailing some recent breaches, the executive also identifies other reasons for vendor threat management:

    • Compliance with regulations like OCC, PCI, and HIPAA
    • Maintaining vendor and client relationships
    • Maintaining industry reputation
    • Reducing financial risk

    The goal of this infographic is to highlight the risk, business, and readiness most organizations are facing. It does not discuss a solution, but we know the old ways of inconsistent, non-standardized questionnaires managed manually without technical monitoring and threat intelligence is never going to help companies get the visibility and risk management they need to combat the growing threat.

    It is clear that a model based on threat intelligence monitoring insights tied to automated assessments using standardized content like the Shared Assessments Standardized Information Gathering (“SIG”) Questionnaire as well as continuous threat monitoring is necessary to help get the insight organizations of all sizes need to help reduce third-party risks. Prevalent is the first, purpose built unified platform for third-party threat management to offer these capabilities for enterprises of all sizes.

    View the infographic HERE.

    Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., is the 2015 Shared Assessments Program Chair. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company

    Reposted with permission from Prevalent Blogs

    The Seemingly Illusive Nature ...

    10-28-2015

    Think Tone at the Top doesn’t matter? A front page headline in the Friday, September 25th New York Times Business Day section, commenting on Volkswagen’s use of sophisticated software to circumven[...]

    Think Tone at the Top doesn’t matter? A front page headline in the Friday, September 25th New York Times Business Day section, commenting on Volkswagen’s use of sophisticated software to circumvent omissions standards, read “Problems at VW Start at the Boardroom” and continued “The governance of Volkswagen was a breeding ground for scandal. It was an accident waiting to happen.” The article describes a boardroom where outside views rarely penetrate. An observer said, “It’s an echo chamber.” Former executives describe the corporate culture as insular, reinforced by a board with a “paucity of independent directors.” ((Problems at Volkswagen Start in the Boardroom. New York Times. September 25, 2015. http://www.nytimes.com/2015/09/25/business/international/problems-at-volkswagen-start-in-the- boardroom.html?_r=0))

    Volkswagen is an extreme example to be sure. However, some spectacular corporate failures in the early and mid-1980s led to a number of initiatives to address instances of fraudulent reporting – Drysdale Government Securities, Washington Public Power Supply System, Baldwin-United Corp., and E.S.M. Government Securities among them. One of those initiatives led to the formation in 1985 of COSO (The Committee of Sponsoring Organizations of the Treadway Commission), which has been at the forefront of risk management guidance for decades. ((http://www.coso.org/))

    When the National Commission on Fraudulent Reporting (also known as the Treadway Commission) released its groundbreaking study in 1987, it declared that Tone at the Top was “an element within the company of overriding importance in preventing fraudulent financial reporting.” It said:

    “The tone set by top management – the corporate environment or culture within which financial reporting occurs – is the most important factor contributing to the integrity of the financial reporting process. Notwithstanding an impressive set of written rules and procedures, if the tone set by management is lax, fraudulent financial reporting is more likely to occur.” ((Report of the National Commission on Fraudulent Reporting. 1987. http://www.coso.org/Publications/NCFFR.pdf))

    Almost three decades have passed since the original Treadway Report was published and Tone at the Top has emerged again as one of the most critical elements in predicting not just the likelihood of financial reporting fraud, but more broadly the likelihood any organization can mount and sustain a successful enterprise risk management process. In COSO’s 2004 Enterprise Risk Management Integrated Framework, it defined eight components of enterprise risk management, including the “Internal Environment,” defined as “The tone of an organization, [setting] the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and appetite, integrity and ethical values, and the environment in which they operate.” ((Enterprise Risk Management-Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission. 2004. http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf))

    During the last three years, we’ve seen the essential role of executive management in building risk culture emerge as a central theme in both ISO standards and banking guidance. A few quick examples come to mind:

    • OCC Bulletin 2013-29. Subject: Third-Party Relationships.
    • OCC 2014 Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations and Insured Federal Branches.
    • ISO’s 2012 integration of standards – Emergence of “Leadership” (Clause 5) as a core concept in ISO Annex SL, which established new formatting for ISO Management System Standards.
    • ((OCC BULLETIN 2013-29. Subject: Third-Party Relationships. US Department of Treasury. Office of the Comptroller. October 30, 2013. http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html; OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations and Insured Federal Branches; Integration of Regulations. US Department of Treasury. Office of the Comptroller. 12 CFR Parts 30 and 170. Docket ID OCC-2014-001: RIN 1557-AD78. September 2, 2014. http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-117a.pdf; Tangen, S. & Warris, A. Management Makeover – New format for future ISO management system standards. International Organization for Standardization. July 18, 2012. http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1621))

    And in Protiviti’s just released Annual IT Security and Privacy Survey, the number one key finding: “Tone from the top is a critical differentiator – from strong board engagement in information security to management establishing “best practice” policies, effective security begins with the right tone from the top, which is important as any policy.” The study shows that just 28% of boards had high levels of understanding about and high engagement with information security risks relating to the business of their firm. ((The Battle Continues – Working to Bridge the Data Security Chasm. Proviti, Inc. 2015. http://www.protiviti.com/en-US/Documents/Surveys/2015-IT-Security-Privacy-Survey-Protiviti.pdf))

    Yet, despite the intensifying focus on the criticality of leadership to establishing and maintaining an organization’s risk culture, it is not clear that many of us think about Tone at the Top in a way that translates into organizational components we can see and understand. In his keynote address at the University of Waterloo’s 2013 Tone at the Top Symposium, Chris Macdonald discussed what he called two “unavoidable truths” about ethical leadership and tone:

    1. “Ethical tone must be established at the top of the organization and communicated downward throughout the organization.
    2. Ethics cannot be simply imposed by the organization: it must be reinforced by the practices, systems, structures and ultimately the actions espoused throughout the organization.”
    3. ((Gunz, S. & Thorne, L. Introduction to the Special issue on Tone at the Top. Journal of Business Ethics. January 2015. Volume 126, Issue 1, pp 1-2. http://link.springer.com/article/10.1007/s10551-013-2035-1/fulltext.html))

    Indeed, the very the practices, systems, structures, and actions Macdonald highlights are part of what the Shared Assessments 2015 Vendor Risk Management Benchmark Study measured. Those Benchmark Study results are part of what has focused my attention on Tone at the Top. Analysis above and beyond the published results suggest that in many important areas some firms are simply not undertaking practices that are key to successful third party risk management, while at the same time others in the same industries are progressing quite well.

    I’ve been thinking about those results in the context of the FFIEC Cybersecurity Assessment Tool, released in the summer of 2015. The tool includes a maturity model designed to help bank management understand the gaps between an organization’s actual performance and any of the levels defined in the maturity hierarchy. ((https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CS_Maturity_June_2015_PDF2_c.pdf)) There are five levels, ranging from Baseline to Innovative. In the FFIEC model, Baseline is defined as “characterized by minimum expectations required by law and regulations and recommended in supervisory guidance…including compliance driven objectives,” and assumes that “management has reviewed and evaluated guidance.”

    When I’ve tried to (subjectively) correlate the FFIEC’s Baseline level 1 with the Shared Assessments Vendor Risk Management Maturity (VRMMM) scale, it seems to me that at a high level the FFIEC baseline lies somewhere between VRMMM levels 3 and 4, well above what the 2015 study suggested was a common level of performance. (See graphic below.) And outside the banking industry, in many areas, the gaps were quite large.

    Say what you want about banking regulations, in point of fact most of the third party risk guidance regulators have issued merely formalizes what should be basic security hygiene in an increasingly complex cyber security environment. That’s why the guidance is relevant to industries wherever cyber security is a significant concern; healthcare, utilities, communications, and the list goes on.

    Click image to enlarge
    FFIEC Blog Image

    There’s a strong case to be made that executive managers need to motivate enterprise risk management disciplines within their firms in a way that so far has been elusive, even in the face of escalating threat environments. The good news is that there finally seems to be more recognition of that reality, and more tools to help the C-suite achieve the results everyone wants to see. So Tone at the Top, at least from a third party risk perspective, should start to improve, and we should expect to see evidence of that change in future Vendor Risk Management Benchmark Studies. Stay tuned…

    For more than 35 years, The Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

    The Not-So-Secret Service: Wha...

    10-21-2015

    Of all the scandals that have struck the U.S. Secret Service over the past few years, I can't think of any more damaging than the current controversy involving Congressman Jason Chaffetz (R-Utah), Hou[...]

    Of all the scandals that have struck the U.S. Secret Service over the past few years, I can’t think of any more damaging than the current controversy involving Congressman Jason Chaffetz (R-Utah), House Oversight and Government Reform Committee Chairman.

    While it’s probably safe to assume the U.S. Secret Service (like most government agencies) has established policies, procedures, practices and standards to prevent events like this from happening. It shocks and amazes me (in a bad way) how they have managed to internally disrupt so many basic security principles over the confidentiality, integrity and availability of such sensitive data. Yet, on the upside, the risk management professional in me sees this salacious incident as a learning opportunity for business owners and security professionals everywhere, because if it can happen in the Secret Service, it can happen in any organization.

    The scurrilous events began earlier this year after Chaffetz’s committee admonished the Secret Service and assistant director, Edward Lowery, for numerous misconduct and security mistakes. Chaffetz’s accusations angered numerous agents who felt compelled to retaliate against the Congressman.

    A recent investigation by the Department of Homeland Security’s Inspector General found that Lowery emailed a colleague in March, commenting on Chaffetz’s personal file that was being widely circulated inside the Secret Service, writing, “…some information that [Rep. Chaffetz] might find embarrassing needs to get out. Just to be fair.”

    Two days later, the news website, The Daily Beast, reported that Rep. Chaffetz had applied to be a Secret Service agent in 2003, ultimately being rejected for the position.

    In an attempt to embarrass Chaffetz publicly, his personnel file from his 2003 application – located in a “restricted database” – was accessed by about 45 Secret Service agents, some of whom reportedly shared it throughout the agency.

    Further review from the Inspector General’s office found that Chaffetz’s file was spread to nearly “every layer” of The Service; from administrative staff to top directors. The report further indicated that 18 supervisors (including assistant directors), the deputy director and director’s chief of staff knew the information was being widely shared through agency offices. A Secret Service agent also reported that at a briefing for the visit of the Afghan president, nearly all 70 agents who attended the briefing were discussing it.

    So how can your company learn from the U.S. Secret Service’s mistakes? Start by developing (or confirming that you have) basic information security guidelines with respect to who can access sensitive data (such as personnel files or other confidential data) within your organization. Here are some key tips:

    • Start by following time-tested, industry, security best practices to review periodically (i.e., at least annually) the policies, procedures, practices and standards that protect sensitive data, files and records within your organization. Controls should include both logical (electronic) as well as physical access to data.
    • Have a discussion with appropriate IT security management staff within your organization to understand what processes are in place and gauge whether they have employed adequate preventive controls to thwart access to confidential files, particularly those in a “restricted database.” Additional discussions should cover the entire enterprise architecture including the network, the operating system and the application itself. Also ask which detective controls (e.g., audit logs) are being utilized to monitor access to these critical systems and question who (if anyone) is reviewing these reports and at what intervals.
    • Inquire if the organization is using role-based access control (RBAC) – a common method of regulating access to data resources based on the roles of individual users within the company based on their job competency, authority and responsibility within the company – when assigning access to data files or systems.
    • Ask what software is being utilized to monitor or prevent confidential data from leaving the workplace. There are many data loss prevention (DLP) solutions that can monitor your network to prevent data exfiltration and inspect and/or deny egress traffic from carrying unauthorized content beyond the perimeter of the enterprise.
    • Lastly, gauge the adequacy of any privacy or human resource training that teaches employees what to do – and what not to do – if they come across confidential, internal information. This training should also cover topics such as not sharing user IDs or passwords and how to handle situations from management or colleagues when being encouraged to engage in unethical behavior (such as email threats or lying to/ concealing information from management, compliance, or audit personnel).

    Like most government agencies and mature organizations, we can speculate that the Secret Service has data security policies, procedures and practices in place, but the questions are whether or not they were truly following them and whether so many employees need such pervasive access to data, like Chaffetz’s file.

    Sadly, this is one of many incidents that can be reviewed as a case study in non-compliance to Information Security 101 principles. Your task – if you are unsure of the answers presented above – is to inquire if your company, and any third parties accessing such data, has implemented proper controls so you don’t fall into the same trap.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on the Huffington Post blog.

    When a Data Breach Occurs, Wil...

    10-19-2015

    October is National Cyber Security Awareness Month (NCSAM) — a collaborative effort among government organizations, businesses of all sizes, educational institutions, nonprofits, and consumers to en[...]

    October is National Cyber Security Awareness Month (NCSAM) — a collaborative effort among government organizations, businesses of all sizes, educational institutions, nonprofits, and consumers to ensure everyone has the resources they need to be safe online. For financial institutions, it’s a reminder to prepare or update your cyber safety and response plan, not only for your organization but for your account holders. To date in 2015, the banking, credit and financial industries have reported 41 data breaches, exposing at least 408,000 records, according to the Identity Theft Resource Center (ITRC). The breached entities range in size from a 200-location independent mortgage company to global banks with high name recognition. The banking/financial industry already accounts for nearly ten percent of this year’s breaches, based on the ITRC’s numbers, and since the full scope of many of those breaches isn’t yet known, the impact is likely to be far greater than the base numbers indicate.

    The sheer heft of those preliminary numbers, however, should underscore the fact that data breaches don’t just happen to the big boys; even a small bank can experience a cyberattack. When dealing with the aftermath of a data breach and achieving recovery is so challenging for financial institutions with vast resources and deep pockets, your small or mid-size FI simply can’t afford to be unprepared.

    When a data breach occurs – and many cyber security experts say it’s a question of “when,” not “if” – will you know what to do?

    Here are five key considerations when preparing your data breach response:

    1. Have a written data breach response plan that you update regularly.
      While the majority of banks and other companies now have data breach response plans in place, not everyone is satisfied with the efficacy of their plan. A written plan is essential to outline how your FI will respond when a breach occurs; who will be responsible for key actions; and how you will communicate to customers, regulators and the media. But your plan can’t be static. It needs to evolve as conditions change, and you need to revisit, test and update it regularly – at least once a year, and more often if significant environmental changes occur.
    2. Use a breach service for the right reasons.
      While large financial institutions may have a dedicated breach response team, nearly all of them rely on a breach response service for monitoring and resolution. These service providers can help you refine your data breach response plan, react quickly and effectively if a breach occurs and keep you from running afoul of data breach regulations. Also, be sure you’re hiring a breach response provider for the right reasons. If personal identifying information is exposed in a breach, utilize a partner to monitor and stop new account inquiries. In addition, offer a resolution service. So if the consumer experiences an issue, they will have a dedicated, professional team to help them through the identity restoration process. Do not rely on credit bureau monitoring to catch misuse of existing credit and debit cards. In the instance of a credit or debit card data breach, consider internet monitoring for underground or dark site card number sales.
    3. Keep control of the customer relationship.
      The reputational damages of a data breach can last longer and be more devastating than the monetary losses your bank might incur. Effective, personalized management of your FI’s relationship with consumers affected by a data breach is the best tool for mitigating reputational damages and restoring customer satisfaction. This tool is simply too important to leave in the hands of an outside agency, so choose a data breach partner who will allow you to retain control of the customer relationship.
    4. Offer identity theft protection and make it easy to enroll.
      When a breach occurs, consumers feel frightened and insecure, and they want the breached company to take care of them. In fact, a study by the Ponemon Institute found that 63 percent of consumers who’d been affected by a breach felt the company that experienced the breach should provide them with identity theft protection, and 58 percent said they wanted credit monitoring services, too. Yet only a quarter of those surveyed had been offered identity theft protection. None of this is surprising when you consider one more stat from the report – nearly half of those affected by a data breach fear their identities will never be safe again. Establish a relationship with an identity theft protection provider as part of your data breach response plan. If a breach occurs, act quickly to offer this protection to affected customers and use online and phone registration tools to make it as easy as possible for them to enroll.
    5. Choose a partner that understands your regulatory environment.
      Data breach response regulations are complex on their own. When you consider that a financial institution may have branches in multiple states, that means your data breach response plan must account for state-by-state variances in notification laws. Privacy standards and banking industry regulations add even more complexity, so it’s essential that you choose a data breach response partner that understands your regulatory environment and is familiar with data breach regulations.

    Take advantage of available resources this month and throughout the year for tips on keeping your financial institution and your account holders safe online.

    Paul Bjerk is a Fraud and Risk Products Leader with Shared Assessments Program member, Deluxe Corporation. Connect with Paul on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Do Certain Companies Need A Se...

    10-14-2015

    The Santa Fe Group, Chairman and CEO Catherine A. Allen, joins TK Kerstetter, host of “Inside America’s Boardrooms,” to discuss… Do Certain Companies Need A Security Committee? Episode Summ[...]

    The Santa Fe Group, Chairman and CEO Catherine A. Allen, joins TK Kerstetter, host of “Inside America’s Boardrooms,” to discuss… Do Certain Companies Need A Security Committee?

    Cathy on Nasdaq Tower - Inside America's Boardrooms 10.6.2015RS

    Episode Summary

    It makes sense that certain industries might get more attention with respect to the sensitivity of their data or their cyber risk impact on national security. Cathy Allen and host TK Kerstetter discuss the role of a Security Committee on the board. Due to Allen’s lengthy technology background, she is asked (1) whether other board members are looking to her for guidance, and (2) how she gains comfort as the “IT expert” in knowing that the company has the right people and resources in place?

    This show also discusses Allen’s experiences and views on an IT crisis management plan and board evaluations.

    Catherine A. Allen is the chairman and CEO of The Santa Fe Group, a strategic advisory group based in Santa Fe, New Mexico, that specializes in briefings to C-level executives and boards of directors at financial institutions and other critical infrastructure companies, and provides management for strategic industry and institutional projects, including the Shared Assessments Program, focused on vendor risk management. Catherine serves on the boards of Synovus Financial Corporation and El Paso Electric Company and is a member of the Risk, Energy and Natural Resources, Nominating and Governance, and External Affairs Committees, as well as chair of the Security Committee. She sits on the Advisory Committee for Houlihan Lokey.

    It’s Not Just a Check The Bo...

    10-13-2015

    Last week I outlined ideas on implementing appropriate best practices in structuring effective compliance programs. Leveraging program management disciplines can streamline the logistics of compliance[...]

    Last week I outlined ideas on implementing appropriate best practices in structuring effective compliance programs. Leveraging program management disciplines can streamline the logistics of compliance management. However, process alone is not sufficient without the right “tone at the top” to focus an organization’s efforts. Senior leadership within an organization is accountable for managing risk and compliance for their respective areas, providing the right direction and prioritization for compliance activities. A compliance officer needs to be able to connect the dots on key policies and actions to help both executives and employees understand expectations.

    Here are some thoughts on maturing the compliance culture, without over-burdening employees with all the compliance details:

    • Executive buy-in is critical to success: Know who the key stakeholders are for each area of compliance focus. Create an elevator speech for your executives that tell the value proposition for each compliance area – help them tell the story in just a few sentences. Identify both qualitative and quantitative measures and metrics to gain support. Treat your compliance investments using the same business case methodologies to help grow support for changes you need to make. Nothing has more credibility than when Senior Leadership provides visible verbal and written support to a compliance program.
    • Make it real to employees:Keep the message in simple terms so employees understand their role. Most employees won’t be involved in all aspects of compliance. Organizations that try and educate on the nuances of each regulation can lose employee mindshare in the detail. Leverage news or media events or examples to demonstrate how other organizations have had to deal with compliance issues. Use examples to translate those issues into your organization to make it real.
      Transparency in reporting: A mature compliance culture has agreed upon criteria for risk rating and how to escalate. Use common terminology for what is “Red – Yellow – Green”. If your compliance dashboard is always GREEN and then you escalate a major issue to RED, you have not taken the leadership on the journey. Make sure you focus not only on internal drivers but external market factors that can shift your risk thresholds.
    • Driving accountability: Compliance is not a consensus model. The compliance program needs to have clearly identified stakeholders and owners. Ensure that ownership is at the deliverable and outcome level and not just a review of information level. Scorecards are a good way to track accountability – especially when multiple areas need to work together.
    • Board level engagement: Boards and Audit or Governance Committees have obligations to the company. Executive management needs to engage and inform that Board of the risks and actions the company is taking. If the Board is driving the details of the compliance program, that’s a risk that leadership is not taking the right level of accountability. The Board should be “noses in” and “hands out” in driving compliance program details. Build education programs to help your Boards and Committees better understand emerging areas of compliance. Educated leaders make better business decisions.

    So as your organization heads into the fourth quarter, focus your 2016 list on strengthening the culture of compliance. Starting with some self-reflection helps you focus on the tactics that are going to resonate with leadership and employees.

    • What are the biggest challenges for your organization for compliance management?
    • What changes (internal and external) require you to make compliance changes?
    • Has the organization’s risk appetite changed?
    • Are their new leaders on board?

    I like to leverage simple tools with my team to get to root causes of an issue. A favorite of mine is THE FIVE WHYS, a lean methodology. Take a compliance topic or challenge from above and break it down. Have your team answer the question and respond with WHY. Do that five times for each question and you will get at some of the cultural challenges you need to overcome to mature your compliance culture.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Building Breach Resistance in ...

    10-11-2015

    By: Jeremy Henley, ID Experts Originally posted on the ID Experts blog. Reposted with permission. According to the Ponemon Institute’s 2014 Global Report on the Cost of Cybercrime, a quarter of org[...]

    By: Jeremy Henley, ID Experts
    Originally posted on the ID Experts blog. Reposted with permission
    .

    According to the Ponemon Institute’s 2014 Global Report on the Cost of Cybercrime, a quarter of organizations worldwide fail to meet their own security requirements. If your organization is one of that 25 percent, given the surging rate of cybercrime, you are probably hurrying to ramp up privacy and information security programs, staff, and budget. If yours is one of the 75 percent that does meet its own requirements, take a moment to congratulate yourself—just a moment—and then think about all your business partners, third-party service vendors, and suppliers. If 25 percent of them are not meeting their own security requirements, what are the chances they’re meeting yours?

    In the previous article in this series, we discussed the fact that human error is often the weak link that leaves organizations vulnerable to cybercrime, and we looked at ways to build breach resistance in the organization. But your partners and suppliers can also make mistakes or simply have poor security practices. As Rocco Grillo, managing director at consulting firm Protiviti says, “You can have all the security in the world inside your company’s four walls, but all it takes is a compromise at one third-party vendor that’s connected to you [to create] a bridge directly into your organization.” In fact, Protiviti’s 2015 Vendor Risk Management Benchmark Study found that, on a scale of 1 to 5, organizations rate an average of 2.8 on the maturity of their vendor risk management practices. That leaves a lot of room to improve breach resistance in your business ecosystem. Let’s look at some of the things you can do.

    Make Requirements Clear
    Depending on your industry, there may be a long list or a whole network of regulations governing privacy and information security practices, and some—the Health Insurance Portability and Accountability Act (HIPAA), ICO 27001/2, the Consumer Financial Protection Bureau (CFPB) regulations, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, among others—have specific requirements for working with third-parties. But some of your vendors may not be in your industry, may not know the regulations, or have no idea the requirements apply to them. So the first step in managing third-party risk is to make sure your third parties know what is expected of them.

    Defining requirements can begin with vendor selection. Before choosing a vendor for any service that has access to information (anything from cloud computing and data processing to a temp agency or an HVAC company or janitorial service that sends staff to your facilities), bring together the hiring department and stakeholders, privacy and security staff, and the responsible purchasing or HR person to identify the information risks associated with that vendor and to build security requirements into the screening and hiring process. Once the vendor is selected, carry those security and privacy requirements into the contract, wherever possible quantifying them with performance-based contract provisions such as service-level agreements (SLAs), key performance indicators (KPIs), or key risk indicators (KRIs). Cyber attorney Sean Hoar, partner at Davis Wright Tremaine LLP, says you should require third parties to commit to following commercially reasonable practices. “If the primary party [your organization] has a best practice framework it follows, that framework may be used as the standard to be followed by the third party, and it can be incorporated into the contract. If I am counseling the primary party, I would also recommend the inclusion of an indemnification provision wherein the third party indemnifies the primary party for any compromise of its system up to the value of data or likely harm that might result if the third party service is compromised. This provides a significant incentive for the third party to increase and sustain a healthy security posture. The indemnification provision should be backed up with sufficient cyber liability insurance coverage and the primary party should be listed as an ‘additional insured’ on the policy.”

    Favor Certified Vendors
    In some fields, vendors may be able to offer you an additional level of assurance through security certifications. For example, the Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits. The Global Information Assurance Certification (GIAC) offers cybersecurity certification in a number of areas, from mobile device management to industrial controller systems, and the International Information System Security Certification Consortium, Inc. (ISC)² offers the Certified Information Systems Security Professional (CISSP) certification, with specializations in areas such as architecture, engineering, and management. Individual technology vendors, from Microsoft, IBM, and Intel to Cisco and Symantec, also offer certifications for their technologies. Look for potential partners who have support staff with security certifications relevant to your business.

    The Shared Assessments Program, a consortium of leading financial companies and key service providers also offers tools and resources for conducting vendor risk assessments. Screening potential third-party vendors for security and privacy programs and practices should be a standard part of vendor selection, but industry specific certifications and risk assessment provide additional assurance that your vendor will be able to meet your security needs.

    Help Your Partners to Protect You
    Your vendors want to protect their relationship with you, and they don’t want to become party to legal action or penalties resulting from a breach, so they should be eager to partner with you in protecting your information. You can help them in a variety of ways:

    • Train them in your security practices by including key vendor personnel in your training programs and by empowering them to train their own staff.
    • Provide clear communication channels and schedule regular check-ins to discuss privacy and security processes and review key indicators.
    • Make sure that there is a well-defined process for escalating privacy and security-related incidents, and that all relevant staff within both organizations know it. Run periodic drills to make sure it is working.
    • Include your vendor’s staff in security awareness programs to warn them of emerging threats and help them build resistance to phishing, visual hacking, and other kinds of attacks that may compromise their system security and yours.
    • Require them to periodically review and report to you on security programs with their own vendors and on cloud app usage within their organizations. (A new study from Skyhigh Networks shows that the average organization is using over 10 times more cloud services than the IT organization knows about. If you add up the “shadow services” that your organization is probably using and the ones that all your vendors are using, that could be a massive security hole.)

    Hold Them Accountable
    Defining security requirements for vendors is important, but it’s not much use if you don’t monitor to make sure the requirements are being met. According to the Protiviti study, the category Tools, Measurement, and Analysis is one of the weakest areas in most organizations’ vendor risk management (2.4 out of 5), and most don’t allocate enough resources for vendor risk management activities. You need to allocate people, time, and resources to track security performance indicators with your vendors and to address issues if they are not being met. And if you are ending the business relationship with a vendor, whether due to performance or because the business need has changed, you also need to allocate resources to make sure your data is securely and completely removed from their systems.

    If there is a security incident or breach due to third-party error or negligence, Hoar says that your remedies will primarily be contractual. “This is why it is important to conduct due diligence up front on third-party providers, draft indemnification clauses into every third-party service contract, and ensure that the indemnification is backed up by cyber liability insurance coverage which equates to at least the value of data processed, transmitted or stored by the third party service.”

    In this age of interconnected systems, outsourced business processes—and software, applications, and infrastructure as services—businesses depend on a whole ecosystem of third parties to stay agile and competitive. As with any other ecosystem, the denizens of your business community can flourish or fail together, so you and your business partners and suppliers have a vested interest in protecting one another from the predations of cybercrime. With good communication, collaboration, and proactive oversight, you can.

    Jeremy Henley is the director of breach services for ID Experts. Henley has direct oversight for all breach incident management services. He has been certified by the Healthcare Compliance Association for Healthcare Privacy and Compliance and brings more than a dozen years of sales, consulting and leadership experience to the ID Experts team.

    Back to School Basics: Best Pr...

    10-07-2015

    School is back in session, fall has begun, and we are approaching the start of Q4. Organizations of all sizes are finishing their financial plans for 2016 and likely conducting end of year internal fa[...]

    School is back in session, fall has begun, and we are approaching the start of Q4. Organizations of all sizes are finishing their financial plans for 2016 and likely conducting end of year internal fall housekeeping on projects and initiatives. This is a great time to dust off the approach to managing compliance with a program management discipline. In this two part blog series, I’ll focus on best practices in structuring your compliance programs, and how to address ensuring executive support and maturing the culture of compliance.

    Structures for Compliance Programs

    Each area of compliance has different expectations for what activities must be performed on an ongoing basis. While regulatory expectations are growing, there are common elements that can be leveraged with repeatable processes. Non-regulated organizations may leverage compliance programs simply for brand or good corporate governance. However, with the scale of regulatory oversight, and broadened areas of compliance for banking organization; risk and compliance teams can feel overwhelmed with both the complexity and workload to manage compliance. Whether you are managing compliance for privacy, remote deposit capture, consumer protection, there are synergies in having standardized methodologies for risk assessments, management reporting, and compliance documentation. Leveraging common approaches also enables stronger communication to executives and lines of business that see the same formats in how risk and compliance are communicated within the organization.

    Focus on a risk assessment, and ensure you utilize resources from multiple levels within the organization. In many cases, the people closest to the day to day operations can spot issues or gaps, but may not be the best resource to quantify the implications to management. A cross functional viewpoint in conducting a risk assessment can be effective in ensuring that there are not “blinders on” in looking at the risks.

    • Governance: Set realistic expectations for the governance committees and approvals. Process maturity can help with advancing decision making, but don’t create too many layers of approvals that burden the objective of the governance process.
    • Policies, Standards, Procedures: Good policies are written in such a way that the compliance goal or objective is clearly understood in simple terms. Avoid putting too much operational detail into “how” you meet the objective, as controls evolve and you don’t want operational differences to create auditable compliance gaps. Focus on the “Whats”; let the standards and procedures convey the “Hows”. It is also critical that employees and executives understand the risks and implications for non-compliance – the “So Whats?”
    • Education, Training, & Awareness: Recognize that while some compliance topics are appropriate for all employees, you may need to have layered training based on level of risk or accountability. Make the message personal and actionable so employees can understand in the scope of their job what they are being held accountable to do.
    • Monitoring & Auditing: Don’t take the needle in a haystack approach and overengineer your compliance auditing efforts. You want your risk and compliance teams focused on the higher risk compliance areas, spending more of their time on the risks that can have the greatest impact. Document your assumptions for the approaches you took to monitoring and where you can leverage risk assessments across different compliance areas if there are common controls.
    • Complaint & Incident Management: Monitoring the right metrics can help you identify leading indicators of a compliance issue. Ensure that you have defined escalation processes for complaints and incidents to get the right attention at the right levels in the organization.

    Effective compliance programs need to be tailored to each organization based on risk appetite but also embedded in current organizational structures. While a “compliance in a box” sounds like a great idea, managing risk requires empowered and informed leaders to apply risk and compliance strategies to how they operate or conduct their business. Effective compliance program structures balance the impact to the organization with the likelihood of the risks.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Joint Advisory Bulletin: Mobil...

    09-30-2015

    Earlier this month, the U.S Secret Service, in collaboration with the Payment Card Industry (PCI) Security Standards Council, released a Joint Advisory Bulletin: Mobile Payment System Vulnerability. T[...]

    Earlier this month, the U.S Secret Service, in collaboration with the Payment Card Industry (PCI) Security Standards Council, released a Joint Advisory Bulletin: Mobile Payment System Vulnerability. The advisory discuses the Growing Criminal Exploitation of Provisioning in Mobile Payments.

    Excerpt:
    The Secret Service has observed a steady increase in criminals exploiting vulnerabilities in the account provisioning and verification process for near field communication (NFC) payments to commit fraud. Specifically, criminals are using stolen identity information (e.g., credit reports, tax records, healthcare and employee records that contain personally identifiable information) to establish fake accounts on NFC devices and make illicit transactions both online and at “brick and mortar” retailers. Over the last several months, perpetrators have conducted numerous fraudulent transactions using this particular method of exploitation affecting many high-end retailers and banking institutions across the Northeastern portions of the United States.

    Click here to continue reading the the full joint advisory.

    How Moral Reasoning in Busines...

    09-28-2015

    In my previous blog, we discussed how replacing words like "think" and "feel" with "believe" while posing questions to your staff can provide better insight into your employees' ability to deliver res[...]

    In my previous blog, we discussed how replacing words like “think” and “feel” with “believe” while posing questions to your staff can provide better insight into your employees’ ability to deliver responses that contain a both logical and emotional analysis in a single response. This month’s continuation of this topic, will discuss applying the same moral reasoning concepts when your boss is asking you for your opinion.

    Let’s imagine that your boss is asking you for a detailed response to a question about a project you’re working on. Based on the same premise that we used in Part 1, apply the same reasoning:

    • If they ask what do you think – provide a response based on your logic and analysis
    • If they ask what do you feel – provide a response based on your emotions and feelings
    • If they ask what do you believe – provide a response based on your moral reasoning.

    Note that if your superior is asking for your educated opinion (based on logic) but instead asks, “what are your feelings on this?” you can try to clarify the comment by prefacing your reply with “I think we should…” and then provide them with your logic-based reply.

    What About Going with Your Gut?

    A recent article in Medical Daily indicated that “going with your gut” is intuition coupled with instinct. According to the article, intuition is formed by a collection of beliefs, experiences and memories, and is “more hardwired” into humans; whereas instinct is the body’s biological tendency to make one choice over another, relying on a pattern of behavior in response to specific stimuli.

    With this understanding, going with your gut is a product based on past experiences – whether good or bad – and in my view, is filed away as knowledge in your belief system. Going with your gut plays on past experiences and analyses filed away in memory; it’s what we fall back on when we are thinking a situation through. Because it is not based off of our current emotions – but past experiences – for this reason, I cannot qualify going with your gut as moral reasoning; however, it still plays a significant factor in shaping a response to the “what do you think?” question.

    Now, let’s consider an example where you go with your gut and then add in your present state of emotion.

    Say you want to add a new person to staff and you’re looking through their qualifications. You feel they’re light on experience for what the job entails, but they appear passionate about the position and have proven to be competent in previous roles, which tugs on your heartstrings to give them a shot.

    Your gut is telling you “we’ve been through this before with a previous employee and it didn’t work out. I noticed they’re passionate about this position — which was lacking previously — but I need someone with experience who can get the job done with little supervision.” If you decide to simply go with your gut, then you would move onto the next candidate.

    However, if you’re taking into account moral reasoning — utilizing your analysis (your gut) and your emotions, you may think, “you know, they’re a little thin here on the experience but they really display a passion for this role and I like this person; I feel good about them! Perhaps I can have some staff provide some training and see where it takes us.”

    Each case handles the dilemma differently. In the first example (going with your gut) the candidate is immediately dismissed due to a lack of experience. Clearly, you had a previous experience that hindered you from allowing this person to come on board, despite their passion to fill the role.

    In the second example, you understood the lack of experience, which is something you may not be able to afford, but are willing to let your emotions guide you in the final decision, as you feel the candidate’s passion is genuine and there is potential for them to become the successful employee you’ve been longing for.

    You need to be careful and use good judgement as to how much emotion should play into your decision making. Feelings can sometimes overpower and cloud your rational thought, and in many cases, you may find it most appropriate to provide a response based more on educated thinking than an emotional response.

    Becoming a Trusted Advisor

    It can be difficult to know when your feelings should play a role in your response to a thought-provoking situation.

    As an advisor, if you have a solid relationship with your superior, then perhaps you can also provide them your feelings confidentially and let them respond accordingly. But if you’re called on in front of a group of peers about a subject to which you have strong feelings, (e.g., a project, a vendor, another person, etc.) you need to be wise and understand any possible fallout with revealing such emotions so choose wisely in such a situation.

    I’ve learned that providing your beliefs (moral reasoning) while responding to questions tends to show management that you have been careful to think deeply and clearly about the subject at hand, giving them more confidence in your ability to provide solutions to problems within your business. Likewise, asking your team to tell you what they believe will bear similar results, as well as insight as to what they are willing to share with you. This can become extremely useful to gauge who you can truly count on in the assignment of special projects as certain tasks may or may not be in alignment with one employee’s moral code or belief system, but not another’s.

    Ultimately, the hard lesson learned from this exercise is the ability to identify those people whom I can add to my short list of truly trusted advisors and add myself to my superior’s list of truly trusted advisors.

    References:

    http://www.psmag.com/health-and-behavior/identity-is-lost-without-a-moral-compass

    http://www.medicaldaily.com/your-gut-feeling-way-more-just-feeling-science-intuition-325338

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on the Huffington Post blog.

    Current State of International...

    yadzinski 09-23-2015

    Understanding the New Rules of the Game During the past decade, ISO has published many management system standards for topics ranging from quality and environment to information security, business co[...]

    Understanding the New Rules of the Game

    During the past decade, ISO has published many management system standards for topics ranging from quality and environment to information security, business continuity management and records management.

    Despite sharing common elements, ISO management system standards come in many different shapes and structures because they are developed by numerous committees. While there were many common components, they were not sufficiently aligned, making it difficult for organizations to rationalize their systems and to interface and integrate them. This, in turn, results in some confusion and difficulties at the implementation stage.

    As many organizations seek to implement and certify multiple management system standards they need to easily combine or integrate them in an effective and efficient manner.

    Therefore, in 2012, ISO completed work to provide a standard for standards. It is effectively a guide to help standards developers write management systems standards and it provides a template for how the management system is written. It is known as Annex SL Directive 1 or more commonly known as the High Level Structure (HLS). (IRCA)

    The Annex SL contains identical structure, text and common terms and definitions for management system standards to ensure consistency among future and revised management system standards and make integrated use simpler. It makes the standards easier to read and, in so doing, easier to be understood by users and easier to format in order to meet multiple regulatory and compliance needs, i.e.; implement once, comply many.

    This structure has been mandated by the ISO management board with the specific intention that this will enhance consistency in the implementation of management system standards.

    The Annex SL consists of eight clauses and four appendices. The audience for this annex is primarily ISO technical committees who develop management system standards; however, the impact of Annex SL will be felt by all users of management system standards in the future in that it defines the common high level structure, identical core text and common terms and core definitions.

    In the future, all management system standards will need to have these elements. Although this means that there will be duplication, it will also mean that they will all have the same look and feel. In addition, there will be less confusion and inconsistency because common terms will all have the same definition and there will be common requirements across all the management system standards.

    High Level Structure as defined within, Annex SL Directive 1, describes the framework for a generic management system. However, it requires the addition of discipline-specific requirements to make a fully-functional quality, environmental, service management, food safety, business continuity, information security and energy management system standard.

    Annex

    The 10 clauses are as follows:

    10 Clauses

    The idea behind this effort is close and consistent global harmonization in regards to standards. We are already seeing the result of these efforts with the NIST Cybersecurity Framework and the UK Government Cyber Essentials. NIST, the UK government and BSI Standards communicated closely during the development process of the specific frameworks. They are very similar with the distinction that Cyber Essentials adopted a standard, the ISO/IEC 27000 series of standards, while NIST took the approach of mapping to commonly used standards. One common area they both share is a required measurement of maturity.

    HMG

    The NIST Cybersecurity Framework

    Framework

    The common thread we are seeing throughout the international community is the use of international standards (ISO) because of the consistency, centralized management and development structure and its agnostic approach (not owned by any one entity or country).

    If we are to survive the new cyber war environment, consistency, collaboration and information sharing is critical, so we are all speaking the same language, separated only by the specific industry requirements based on risk and classification of information.

    What are the next steps?

    1. “Collect, Reflect, and Connect” (NIST) – Understand where the industry is having success, help others understand those successes, and facilitate relationships that support understanding and use.
    2. Continue education efforts, including creation of self-help and re-use materials for those who are new to the framework(s).
    3. Continue awareness and outreach with an eye toward industry communities who are still working toward framework knowledge and implementation.
    4. Educate on the relationship between framework(s) and the larger risk management process, including how organizations can use a measure of maturity to help drive improvement.

    Bibliography
    IRCA. (n.d.). The most important event since ISO 9001. Retrieved from http://www.irca.org/Documents/press/2012/IRCA%20Briefing%20note%20-%20Annex%20SL%20(previously%20ISO%20Guide%2083).pdf

    John DiMaria; CSSBB, HISP, MHISP, AMBCI, is the Sr. Product Manager, System Certification for BSI Americas and a member of the Shared Assessments Steering Committee. John has 30 years of successful experience in standards and management system development, including information systems, ISMS, business continuity and quality assurance. Connect with John on LinkedIn.

    Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.

    Business Continuity: What Do T...

    09-22-2015

    For many businesses, they are nothing more than words. Business Continuity is more than simply having a slightly modified template version of a Business Continuity Plan (BCP) that took a few hours to[...]

    For many businesses, they are nothing more than words.

    Business Continuity is more than simply having a slightly modified template version of a Business Continuity Plan (BCP) that took a few hours to complete in order to satisfy your Manager or an outside entity. Instead, it is a never-ending process of risk assessments, risk mitigation, plan maintenance, testing, and improvement.

    A Business Continuity Plan describes the processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. Business Continuity planning seeks to prevent interruption of mission-critical services, and to reestablish full-functioning as quickly and efficiently as possible. A well-documented and tested plan serves as a roadmap to prevent the escalation of loss, therein reducing the economic impact to the company and its employees in the form of loss of customers, market share, profits, reputation, and jobs.

    How will your company respond to a significant business disruption such as a hurricane, tornado, data breach, earthquake, power loss, fire, or flood?

    For an example of how not to respond, view “The Office” fire safety video on the Internet.

    Business Continuity is centered on three key elements:

    1. Resilience: critical business functions, operations, supplies, systems, and relationships are designed and engineered in such a way that they are materially unaffected by most disruptions, for example through the use of redundancy, spare capacity, and the ability to perform the function remotely.
    2. Recovery: planning and arrangements are made ahead of time to promote the recovery of critical organizational functions that could fail at the location.
    3. Contingency: the organization establishes a preset capability and readiness to cope effectively with significant business disruptions. Contingency preparations constitute an alternative response if Resilience and Recovery arrangements prove insufficient.

    So how do you take action? Let’s start with two main components of a BCP.

    Vulnerability Analysis

    A key part of the BCP Process is to conduct a vulnerability analysis, which is an assessment of the potential risks to the business which could result from disruptive events, disasters, or emergency situations. It is necessary to consider all the possible incidents and the impact each may have on the organization’s ability to continue to deliver its normal operations.

    The following potential disruptive event groupings are typically assessed:

    • Environmental Disasters
    • Equipment or System Failure
    • Loss of Utilities and Services
    • Organized and / or Deliberate Disruption
    • Other Emergency Situations
    • Serious Information Security Incidents

    Each of the potential disruptive events under each grouping should be assessed to determine the possibility of occurrence (Probability Rating) and the possible impact (Impact Rating) on People, Property and the Business by using set numerical values for each rating combination and documented in a Vulnerability Analysis Chart. Types of disruptive events with a high rating need to be examined in further detail and have a prepared analysis of the consequences of the specific scenario.

    Business Impact Analysis (BIA) Questionnaire

    The Business Impact Analysis (BIA) Questionnaire is the tool used to gather pertinent information about an Organizational Unit Function, Product or Process to include Business Recovery Time Objectives (RTOs), Recovery Assumptions, Recovery Options, Critical Resource Requirements, Manual Workarounds, Special Procedures, Vital Records, Dependencies, and Maintenance Triggers/Future Endeavors.

    The information that is captured through the BIA Questionnaire completion process is mapped against various business and/or operational impacts which help to facilitate the development of recovery strategies and prioritize recovery efforts at both the Organizational Unit and critical process levels.

    At a minimum, BIA Questionnaires should be reviewed semi-annually and updated/revised as necessary and the review should be documented for reference and auditing purposes.

    The BIA information is a core component to building a Business Continuity Plan and, ultimately, vital information that will be used and relied upon in the event of a disaster/event/disruption.

    Don’t wait until it’s too late and you’re in the middle of a crisis. Conduct your analyses now and be prepared to respond. My next blog post will provide additional key components of a BCP such as assigning specific job functions and testing outcomes to help you fully put your plan into action.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Webinar: Can Peer Collaboratio...

    09-18-2015

    Under the auspices of the Shared Assessments Program, top-tier financial institutions have been working collaboratively on an innovative approach to develop a proven methodology for performing single [...]

    Under the auspices of the Shared Assessments Program, top-tier financial institutions have been working collaboratively on an innovative approach to develop a proven methodology for performing single assessments of a vendor by multiple financial institutions.

    View this previously recorded webinar as Robin Slade, Executive Vice President and Chief Operating Officer, The Santa Fe Group, discusses how peer collaboration can be used as a cost-effective and efficient way to manage third-party risk, strengthen vendor relationships, and protect an organization’s most critical assets.

    Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.

    Shared Assessment Program Chair, Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company

    Partners

    ONLY Prevalent logo

    Symantec_logo

    Dodd-Frank Rewrite To Compel C...

    09-16-2015

    The newly proposed Dodd-Frank rewrite, which is currently part of the $21 billion funding bill being deliberated by the Senate, would cause a shakeup in the riskiness of third-party relationships with[...]

    The newly proposed Dodd-Frank rewrite, which is currently part of the $21 billion funding bill being deliberated by the Senate, would cause a shakeup in the riskiness of third-party relationships with banks and financial services organizations which have less than $500 billion of assets on their books, causing companies to have to reevaluate their risk profiles.

    In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act was enacted to tighten the regulations imposed on Financial Institutions following the 2008 financial crisis. The major issues addressed within Dodd Frank were: increase capital reserve requirements, creation of the Consumer Financial Protection Bureau (CFPB), and increased transparency in derivative trading.

    The proposed Dodd-Frank rewrite looks to change two of the three major issues that the original Dodd-Frank addressed, leaving derivative trading alone. In terms of capital requirements, the rewrite is looking to lower the capital reserve requirements for those organizations who have less than $500 billion of assets on their books. This new “too big to fail” threshold is 10 times that of the current $50 billion threshold. The main argument for this change is that main street and regional banks are being treated like larger Wall Street Banks, which is “unfair.” Along with the lowering of capital reserve requirements, the rewrite looks to allow organizations to provide potentially riskier loans, just as long as those loans remain on their books as opposed to being traded through CDOs.

    How does this affect the third-party risk environment?

    With lower capital reserves comes a higher chance of financial instability and therefore failure. The Dodd-Frank rewrite, while giving the possibility for greater revenue generation for banks, also increases the risk of bank failure. A primary concern with the rewrite is that no provision is made for providing additional regulatory oversight on how the additional capital will be used. Although the rewrite forces banks to keep all loans on their books, there is no regulatory sanctions regarding the type or riskiness of the loans a bank may write. By forcing banks to keep all written loans on their books, as opposed to trading them through CDOs, the risk of interconnected banks leading to an economic collapse is greatly reduced. However, while decreasing the risk of overly interconnected banks, the rewrite doesn’t address the risk associated to each individual bank.

    Inspecting the rewrite on an individual bank level, it lacks necessary regulatory oversight. Lower capital reserves mean that a bank has less of a safety net in the event of an economic downturn. The issue with allowing banks to hold lower levels of capital on hand is that the economy is filled with uncertainty. With the current economic situation in Greece, as well as the currency issues facing Asia and other, countless economic issues, the risk of an organization defaulting on a loan is nearly impossible to calculate accurately.

    With this level of uncertainty, comes an increased risk of default, which in turn creates a greater risk of loss for the bank. This potential for loss, paired with the lower capital reserve requirements, leads to an increased risk of bank failure. The changes in capital reserve requirements directly increases the potential for loss and therefore makes additional monitoring of all banks, and reassessments of their risk profiles a necessary part of third-party risk assessment for these institutions.

    Emil Kranz is a VTM Third Party Risk Analyst at Prevalent, Inc where he is in charge of in depth, accurate analysis of 3rd-party organizations, customer support, research and development of VTM features. Originally posted on Prevalent blog. Reposted with permission.

    How Moral Reasoning in Busines...

    09-07-2015

    Though I am not a psychologist, I have spent many years managing teams, leading projects, and advising people - experiences that have helped me realize the importance of appropriately phrasing questio[...]

    Though I am not a psychologist, I have spent many years managing teams, leading projects, and advising people – experiences that have helped me realize the importance of appropriately phrasing questions – in both social and business settings – to provoke thoughtful opinions from others (a tip of the hat to Dr. Frank Luntz and his wonderful book, Words That Work: It’s Not What You Say, It’s What People Hear). I’ve learned from experience how responses can vary based on how you phrase a question. For example, the question, “what are your thoughts on this?” could elicit a much different reply than “what are your feelings about this?” There is a difference between “thinking” and “feeling.”

    When I ask someone what they think, I want the responder to apply their logic. When I ask what they feel I expect their emotions to play into their response. However, a question sometimes requires a multi-dimensional analysis – a response that is both cerebral and sentimental. That is when I began to consider a third alternative; replacing both thoughts and feelings with beliefs.

    Let’s try a business scenario as an example: You’ve been alerted that a key project managed by a vendor has fallen off the rails, causing a huge mess across the enterprise. You are in your office with three advisors and you ask the question “what do you believe we should do here?” Let’s look at their replies:

    Advisor 1: “We need to dump them! There are a lot of eyes on this project and they’re supposed to be the subject matter experts. I feel what occurred was inexcusable and it’s going to cause a huge headache for all of us on the backend – particularly with our customers.”

    Advisor 2: “No – we need to keep them as they are also contributing to other projects. I think we need to wait to hear from them as to exactly what occurred. This fail may have been something that was unavoidable but we should at least allow them to tell us what occurred.”

    Advisor 3: “Let’s bring them in immediately and talk to them directly. I believe they’ve always delivered and come in on budget in the past. Also, they’re not overpriced and we do need to take into consideration the long-term relationships our various business units have with them. Perhaps we have additional discussions with the business units as well to get their insights as to an alternative.”

    You’ll quickly notice the first two responses reveal stark differences in their course of action. Advisor 1’s response “we should dump them” is a quick indicator this was an emotional response. Clearly they’re upset over the situation and they want to deal with it emotionally, rather than thinking it through (further indicated by “I feel…”). In Advisor 2’s response, there’s a more cerebral answer as it utilized deductive reasoning (“I think…”) as well as past experiences with the vendor. In the final response from Advisor 3, past experience is utilized in their logic as well as moral reasoning in factoring in the relationship the vendor has with the business units (“I believe…”).

    Though these are very elementary examples that can certainly go deeper, you can deduce the various types of reasoning.

    What Do You Believe?

    I’ve begun to ask people, when appropriate, what they believe is the right course of action given the scenario, as I’m attempting to get them to share with me what I’ve called their moral reasoning – a combination of their personal code of ethics and belief system, combined with their deductive reasoning. Doing this further provides me with insight into their ability to provide both their logical analysis and their emotions/feelings in a single response.

    Next month, we will flip this over – with your superior requesting your opinion and having you applying moral reasoning. We’ll also discuss where “going with your gut” comes into your analysis.

    References:

    http://www.psmag.com/health-and-behavior/identity-is-lost-without-a-moral-compass

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on the Huffington Post blog.

    Shared Assessments and Prevale...

    09-03-2015

    Thursday, September 10th at Galleria Park Hotel in San Francisco, CA You are cordially invited to attend an exclusive Executive Briefing co-hosted by Prevalent and Shared Assessments. Please join us[...]

    Thursday, September 10th at Galleria Park Hotel in San Francisco, CA

    You are cordially invited to attend an exclusive Executive Briefing co-hosted by Prevalent and Shared Assessments.

    Please join us as we bring together industry leaders in Third Party Risk to learn about:

    • The Latest Trends in Third Party Risk: “How to Prepare for the Next Headline.”
    • How Standardization and Collaboration Are Key to the Future of Third Party Risk Assessments.
    • Best Practices, Solutions and Education for Taking Your Third Party Risk Management Program to the Next Level.

    The IRS, Target, and the Office of Personal Management: all of these organizations were breached through third party partners. Register today for valuable insight and strategies to keep it from happening to you.

    REGISTER FOR THE SAN FRANCISCO EXECUTIVE BRIEFING

    Three Tips to Manage Vendor Ri...

    08-28-2015

    It has been a banner year for cyberattacks in healthcare, and the threats show no sign of stopping. The growing dangers of cyberthreats should make vendor risk management a business-critical issue for[...]

    It has been a banner year for cyberattacks in healthcare, and the threats show no sign of stopping. The growing dangers of cyberthreats should make vendor risk management a business-critical issue for all organizations, and healthcare companies, in particular.

    With the increasing number of cyberattacks, intensified regulatory scrutiny and the extreme sensitivity of patient information, healthcare organizations should consider the following proactive steps to improve their vendor security hygiene:

    1. Allocate proper resources to your vendor risk management program. Resources represent more than money; they also include individual talent, the number of people in relevant departments, tools, and the right analytic capability. These resources are needed to perform critical program elements such as:

    • Risk ranking vendors
    • Making sure that contracts are written properly
    • Properly scoring and communicating vendor evaluations

    In addition, healthcare organizations should have resources in place to manage their risk programs as both an outsourcing organization and as a vendor that provides contract services to others.

    2. Establish a proper governance framework. For a vendor risk management program to succeed, departmental silos must be eliminated and an enterprise-wide governance framework should be established. The program should be structured to achieve a repeatable, ongoing process for managing vendors so that when a security weakness has been identified–either the problem is fixed, or the vendor is replaced. And the process must be consistent throughout the organization. Often, this process consistency can be difficult to achieve in all but smaller organizations, especially for vendors that provide critical services. Healthcare organizations also should have contingency options in place to assist with decisions when incumbent providers are not compliant. The importance of maintaining contingency options cannot be stressed enough, especially for instances where healthcare organizations store or share PHI or other sensitive data with business associates. Above all, structuring and following the right policies and procedures on an enterprise-wide basis is critically important.

    3. Set the tone at the top. Board members and C-suite executives must communicate a sense of purpose and priority throughout their organizations. Otherwise, their organizations are less likely to achieve third-party risk process maturity on a timely basis. Fortunately, according to the survey, there is increasingly widespread understanding of the need to address vendor risk. From an enterprise security perspective, it’s the C-level respondents who have the most current understanding of internal capabilities of the organization as well as the best reading on the external environment. This understanding is critical for healthcare organizations to successfully develop a vendor risk management program that can meet cyber risks today and in the future.

    Rocco Grillo is Managing Director of Protiviti, Inc. and a member of the Shared Assessments Steering Committee. Gary Roboff is Senior Advisor at the Santa Fe Group, which manages the Shared Assessments Program.

    Originally posted on GovernmentHealthIT

    What Exactly is OK (for) Googl...

    08-27-2015

    Every day, voice recognition gets better. And every day, more of us start talking to our devices instead of typing. Although voice recognition technology is still in its infancy, voice is proving its[...]

    Every day, voice recognition gets better. And every day, more of us start talking to our devices instead of typing. Although voice recognition technology is still in its infancy, voice is proving itself to be faster and easier than typing on our increasingly tiny devices.

    And with this change, a new world of privacy concerns emerges.

    Whether we recognize it or not, we have the ability to be recorded – without our knowledge or consent — during our most intimate conversations and times. We are, after all, carrying around high quality recording devices with us 24/7.

    We live in a world in which our private lives can be turned inside out with the click (or misclick) of a button…

    And that’s the best-case scenario.

    The Blinking Light Heard Around the Privacy World

    In late June, Ofer Zelig, a software developer, noticed something odd. An LED light was blinking on and off while he worked. What was disconcerting was that this light indicated that his computer’s camera and/or mic had been activated. Curious, a lengthy hunt ensued until he identified the offending program: Google’s Chrome browser.

    What Zelig came to discover is that Google had a downloaded a hidden browser module that enables the audio controls for “OK Google” – its voice command interface or hotwording – to work. Following Zelig’s blog post and a tsunami of resulting concern, Google disabled the listening extension by default and noted that the system that listens for “OK Google” will no longer be download automatically in Chromium 45 and onwards.

    Chromium? Yes, Chromium — the open source version of Google’s browser. This kerfuffle had to do with open source developers having proprietary (i.e., non-auditable) code downloaded to their computers, which appeared to turn on their microphones. Although the Chromium team was able to demonstrate that the code did not result in active recording, they still pulled the module as, they admitted later:

    “In light of this issue, we have decided to remove the hotwording component entirely from Chromium. As it is not open source, it does not belong in the open source browser.” ((https://code.google.com/p/chromium/issues/detail?id=500922))

    But the question remains, what about the average Chrome users?

    The “OK Google” module and its automatic download will continue to be part of the standard Chrome browser. So, what stands in the way of our browsers listening to us unawares? According to Google, we must opt-in.

    The real trouble here is: What does it mean to opt-in? It is easy to opt-in without understanding the full impact of that decision. Given how new the magic of voice recognition is, most of us fail to understand fully how it works – even in the vaguest of terms. We want the convenience of voice recognition, but don’t clearly understand the privacy trades that we are making.

    Furthermore, “OK Google” and other voice command services provide a new vector for malware and attackers. To help protect users from these types of threats, the open source developer community is continuously auditing and refining the code base. In the truly disquieting plot twist here, Google bypassed the community’s input by packaging the “OK Google” functionality as closed or proprietary code. Instead of relying on the open source community to figure out how to best protect this feature from tapering, Google’s Chromium team chose to hide it from them.

    Now, that’s a flag worth noting.

    So as we assess our new risks and exposures, it’s worth spending time learning about how voice command works and how different companies handle and use recorded voice. In lieu of specific regulations and privacy laws, companies are determining their approach independently. Some tilt towards the user’s privacy while others are unquestionably tilted towards the corporations’ benefit.

    Given the opportunity for overstepping, many privacy experts are calling for the use of hard (opposed to software) switches on all recording devices (e.g., webcams, microphones). A physical on/off switch and a lens cover for the webcam may be all that stands between our private lives and the outside world.

    But these recommendations really miss the point. Our world is moving away from the desktops where physical switches make sense towards a wearables universe where “always listening” is an essential part of the core design.

    The lines between outside and inside, fair game and overreaching will continue to blur. If we want better voice recognition, the companies that build and support it are going to be hungry for our voice data, as it’s what helps make their products superior. And without appropriate safeguards and truly informed consent, our last bastion of privacy – our spoken conversations – will be sucked up into the super slushy machine that’s feeding Silicon Valley’s data obesity problem.

    So did Google overstep in this particular incident? It’s not 100% clear. Although it appears no one accidentally had put “OK Google” into listening mode and effectively wiretapped their homes as first reported, the proprietary code issue is worrying. Why hide that kind of sensitive functionality from developers? Was it a mistake or misstep? Many in the community believe it was the latter, which would certainly not be OK, Google.

    If you are curious whether Google has captured any audio from you or your family, you can check out your recorded voice history here: https://history.google.com/history/audio

    E. Kelly Fitzsimmons is a well-known serial tech entrepreneur who has founded, led and sold several technology startups. Currently, she is the co-founder and director of HarQen, named one of Gartner’s 2013 Cool Vendors in Unified Communications and Network Systems and Services, and co-founder of the Hypervoice Consortium.

    Can Peer Collaboration Be Our ...

    08-26-2015

    Prevalent Webinar Hosted by NYSE Governance Services Sponsored by Symantec Thursday, September 17th from 1:00 pm to 2:00 pm EST Presenter: Robin Slade, Executive Vice President and Chief Operating O[...]

    Prevalent Webinar Hosted by NYSE Governance Services
    Sponsored by Symantec

    Thursday, September 17th from 1:00 pm to 2:00 pm EST

    Presenter: Robin Slade, Executive Vice President and Chief Operating Officer. The Santa Fe Group/Shared Assessments

    Is it time to test new ideas, including peer collaboration, to perform assessments on third parties with common shared services?

    Dependence on outsourced services requires evaluation of third parties to ensure proper protection of sensitive data against cyber threats and breaches. Today’s risk evaluation process is inefficient and costly for all involved, driving a need for new competences that allow for a robust, standardized and repeatable methodology for third party assessments.

    Under the auspices of the Shared Assessments Program, top-tier financial institutions have been working collaboratively on an innovative approach to develop a proven methodology for performing single assessments of a vendor by multiple financial institutions.

    Tune in to this exclusive presentation as Robin Slade, Executive Vice President and Chief Operating Officer with The Santa Fe Group discusses how peer collaboration can be used as a cost-effective and efficient way to manage third party risk, strengthen vendor relationships, and protect an organization’s most critical assets.

    REGISTER FOR THE WEBINAR


    About the Presenter |
    Robin Slade, Executive Vice President and Chief Operating Officer, The Santa Fe Group/Shared Assessments

    Robin is Executive Vice President and Chief Operating Officer with The Santa Fe Group, where she works with clients, CEOs, and consultants as an expert in third party risk assurance, and fraud reduction. Robin leads all activities for the Shared Assessments Program—a cross-industry, member driven consortium with resources, tools, and best practices to effectively manage the third party risk management lifecycle—including managing its Advisory Board, Steering Committee, Member Forum, Shared Assessments Annual Summit, and the Certified Third Party Risk Professional (CTPRP) program. Robin regularly serves as an industry spokesperson, educating multiple industries and regulators about the Shared Assessments Program. She is often quoted in the press on issues in data security, privacy and business continuity. Her speaking engagements include: BAI, BITS, Corporate Executive Board, Federal Trade Commission (FTC), National Healthcare Anti-Fraud Association (NHCAA), Shared Assessment Annual Summit, Risk Management Association (RMA). Prior to the Santa Fe Group and Shared Assessments Program, Robin managed BITS’ flagship Fraud Reduction Program, including managing the activities of the Program’s nine working groups. She was recruited to help launch Medical Identity Fraud Alliance (MIFA) as Development Coordinator because of her passion for finding fraud solutions. MIFA is the first public/private sector effort to jointly develop solutions and best practices to address medical identity fraud. Additionally, Robin co-founded and is President and CEO of the Foundation for Payments Fraud Abatement and Activism, is on the Board of Eversafe, and vice-chairman of Bethlehem Place, a community food pantry. Robin holds a B.S. in Business and Management, a B.S. in Computer Studies, and an M.S. in e-Commerce from the University of Maryland University College.

    About Shared Assessments
    The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group, a strategic advising company based in Santa Fe, New Mexico. Visit us on the web at www.sharedassessments.org.

    About Prevalent
    Prevalent is a vendor risk management and cyber threat intelligence analytics innovator with a reputation for developing cutting-edge technologies and highly-automated services that are proven to help organizations reduce, manage and monitor the security threats and risks associated with third party vendors. For more information visit www.prevalent.com

    About Symantec
    Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. Symantec helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance and performance. Headquartered in Cupertino, California, Symantec has operations in 40 countries. For more information visit www.symantec.com

    Mark Your Calendar: CTPRP Work...

    08-20-2015

    Our next Certified Third Party Risk Professional (CTPRP) Workshop & Exam will be held on October 15-16, 2016 in Boston, MA. Individuals who pass the CTPRP examination and successfully comply with t[...]

    CTPRP-SA-2Color-300x84

    Our next Certified Third Party Risk Professional (CTPRP) Workshop & Exam will be held on October 15-16, 2016 in Boston, MA.

    Individuals who pass the CTPRP examination and successfully comply with the requirements to earn and maintain the certification have a thorough working knowledge of third party risk management concepts and principles.

    To register for this event, click here.

    To learn more about the CTPRP, click here.

    If you have any questions about the CTPRP certification, contact Katherine Kneeland, Project Manager, The Santa Fe Group at Katherine@santa-fe-group.com or 330-794-7670.

    Vendor Risk Management in 2015...

    08-18-2015

    The Shared Assessments Program and global consulting firm and Member, Protiviti, teamed up last month to present the second annual Vendor Risk Management Benchmark Study. This year’s results, accom[...]

    The Shared Assessments Program and global consulting firm and Member, Protiviti, teamed up last month to present the second annual Vendor Risk Management Benchmark Study. This year’s results, accompanied by additional analyses, highlighted that a substantial number of respondents reported they do not have any process in place to support significant Vendor Risk Component activities.

    This short video provides a snapshot of the current industry landscape and what can be done to keep third party risk management programs from stagnating in 2016.

    Know Your Enemy: The New Econo...

    08-17-2015

    According to Paul Kocher, one of the leading U.S. cryptography experts, there has been a 10,000-fold increase in the number of new digital security threats in the last twelve years. ((Perlroth, Nicole[...]

    According to Paul Kocher, one of the leading U.S. cryptography experts, there has been a 10,000-fold increase in the number of new digital security threats in the last twelve years. ((Perlroth, Nicole. “Hackers vs. Hacked: Game On.” New York Times, December 2, 2014. bits.blogs.nytimes.com/2014/12/02/hacked-vs-hackers-game-on)) So if you’ve been thinking there are a lot more data breaches in the news lately, you’re right. Twelve years ago, a significant percentage of data breaches occurred because businesses lost data: someone lost a laptop or disposed of digital media or paper records improperly, and the information fell into the wrong hands. But as businesses improved their security procedures and systems, criminals improved their methods to get their hands on sensitive information. Today, the most common cause of data breaches is cyber-attacks. ((Verizon 2015 Data Breach Investigations Report. http://www.verizonenterprise.com/DBIR/2015/))

    The Chinese general Sun Tzu said in The Art of War to know your enemy (which is ironic in light of the number of cyber-attacks coming from China, but good advice, nonetheless). If you’re concerned with data security or privacy these days, you can’t stay behind the corporate firewall and hope for the best. You need to understand the fast-changing world of cyber-crime, cyber-terrorism, and cyber-espionage. In this first installment of a three-part series, we’ll dig into the motivations and methods of cyber-criminals.

    Follow the Money
    You probably did a double take when you started reading this article. How could there be a 10,000-fold increase in threats in twelve short years? The answer is simple: money. Criminals have become incredibly adept at monetizing stolen identities on a massive scale. There are also threats from state-sponsored hackers, and we’ll tackle those in the third part of this series.

    Two factors have provided the growing conditions for this problem. First, large-scale cyber-crime is a natural consequence of the massive digitization and integration that have been going on since the 1990s. Between mobile computing, ecommerce, the use of cloud services, and myriad outsourced and/or integrated business processes, there are massive amounts of information connected to or traveling across the Internet. The second factor is the “dark web,” the web content that exists on so-called darknets, limited-access sites that overlay the public Internet and are often used for illegal or criminal activity. The Dark Web offers cyber-criminals multiple global marketplaces in which to sell stolen personal information. The abilities to steal and easily sell massive amounts of personal information have transformed the economics of information theft.

    Best Practices in a Bad Business
    Cyber-theft used to require deep network skills. The brilliant, nerdy hacker has become a standard character in spy and crime movies. But today, anyone with basic skills can get into the business. Not only can you buy attack software and tools on the Dark Web, there are even the equivalent of professional journals where cyber-thieves share news and tips.

    One interesting shift over the last decade is that identity fraud is now a multi-tier business. According to Tripwire, many people underestimate the complexity of these transactions. For example, credit card numbers are typically sold in bulk to brokers, who then sell the numbers to individual buyers. Information sellers are well known in the black market communities, and top sellers can even give away personal records as free samples so buyers can see the quality of their wares. This chain of distribution lets cyber-thieves concentrate on stealing information without the effort of exploiting it, and it makes it harder for law enforcement to trace the theft back to the source.

    The buyers can exploit stolen information in a variety of ways. Stolen information has a “shelf life,” just like groceries and other perishable goods. At some point, the theft will be discovered, either because the business discovers their systems were compromised or because the victim becomes aware the information is being misused. Unfortunately, it’s usually the latter, and the damage is done long before a breach is discovered. ((Verizon 2015 Data Breach Investigations Report. http://www.verizonenterprise.com/DBIR/2015/)) Either way, the buyers have a limited time to exploit the stolen information, so there are a number of different schemes for monetizing it in a timely way.

    Medical identity fraud either takes the form of fraudulent billing by unethical providers or misuse of another person’s medical records to obtain care. This kind of fraud may not be discovered for months or years, making stolen medical identities among the most valuable. Bank fraud is also less time-sensitive. If a buyer can get fairly complete bank information, they can clear out accounts before the account holder realizes it, and bank accounts don’t have as strong protection as credit cards. In contrast, financial companies now have strong algorithms for detecting credit card fraud, so buyers will often use stolen card numbers to quickly buy pre-paid gift cards to purchase goods, such as electronics, that can be sold through legitimate channels such as eBay.

    The Black Market, Where Stolen Information is Commoditized
    Cyber-criminals sell stolen information on black markets either individually or in lots, and the price varies depending on how much value the buyer can get from the information. For example, easily obtainable information such as birthdates will go for a few dollars, since it can’t be monetized by itself. According to an article in Disabled World, the going rate for a birthdate or Social Security Number is only about $3, a mother’s maiden name may sell for $6, and credit card numbers can sell for as little $1.50, although Tripwire claims that some credit card numbers can sell for as much as $1,000, depending how much additional information is included and the limit on the card. More valuable information such as a medical record can sell for $50. Business Insider reports that ready-to-use counterfeit Social Security cards can sell for $250 to $400, and bank account information sells for $1,000 and up, averaging 6 percent of the money in the account.

    So how much can cyber-criminals make? In its 2014 report, the Center for Strategic and International Studies estimated that cyber-crime extracts 15 to 20 percent of the $2 to $3 trillion dollars generated annually by the Internet economy. That’s between $300 and $600 billion a year. Even if you simply take the price of $1.50 for a stolen credit card number and multiply it across the millions of records that have been stolen in the last year, it’s clear that cyber-crime is paying off big-time.

    A Strategic Defense
    In Nicole Perlroth’s New York Times article, Scott Borg, the head of the non-profit United States Cyber Consequences Unit, sums up the state of cyber-security: “People are still dealing with this problem in a technical way, not a strategic way. People are not thinking about who would attack us, what their motives would be, what they would try to do. The focus on the technology is allowing these people to be blindsided.” The last few years have certainly proven that cyber-criminals can outrun technology, and it’s also not financially feasible to defend your data on all fronts. To mount a strategic defense, you have to understand where the next attacks are likely to be coming from. In our next installment, we’ll dive deeper into the Dark Web where many of today’s cyber-attacks are born.

    Originally posted on the ID Experts blog. Reposted with permission

    The Resilience Challenge For T...

    08-12-2015

    Resiliency is all about adapting to change and in this tech-savvy world we live in, change happens constantly. And while adjustments within the industry can promote growth and opportunities, they can [...]

    Resiliency is all about adapting to change and in this tech-savvy world we live in, change happens constantly. And while adjustments within the industry can promote growth and opportunities, they can also create difficulty for the business environment in terms of continuity and staying relevant.

    A new white paper from the Business Continuity Institute makes a strong case that business continuity is an integral part of resilience, but also states that building resilience goes beyond business continuity and requires substantial input from other protective disciplines.

    Read the full white paper here: http://www.bcifiles.com/8thReport.pdf

    Making the Case for a Security...

    08-03-2015

    The daily announcements of cybersecurity breaches, increasing concern about terrorism on critical infrastructures, the rising reputational risks that social media brings, the rapidly changing technolo[...]

    The daily announcements of cybersecurity breaches, increasing concern about terrorism on critical infrastructures, the rising reputational risks that social media brings, the rapidly changing technology marketplace, and the complexity of managing increasing risks all put pressure on boards to stay up to speed and to be proactive rather than reactive. Traditionally, oversight of operational and technology risks have been the responsibility of the audit committee of the board, as well as the board at large, but that is changing.

    Dodd-Frank legislation mandated that financial institutions separate out technology and operational risk from the audit committee to a risk committee. Many non-financial corporations are following suit.

    A third board committee is also emerging to focus on security, both cyber and physical, in those organizations that are considered critical infrastructures like public utilities, health care, and transportation, and in financial institutions and other data intensive organizations. The rationale is to put more expertise and focus on emerging risks and for the board to be proactive rather than reactive. Not only are the regulators more concerned about these risks and third-party risks but the investor community is as well. This is one of the areas that shareholder activists are considering when evaluating company performance.

    Most of these new security committees include members of the board with technology or risk management expertise as well as senior management such as the chief risk officer, chief technology officer, chief security officer, and others with the relevant expertise. The chairman and CEO of the board also participates.

    The security committee usually has over-sight for both physical and cybersecurity, and the reputational and operational risks related to critical infrastructure, company assets, data protection, and intellectual property. These committees also over- see third-party risk with regard to security issues. Many meet six times a year and on an “as need” basis if an event occurs.

    Research on gender differences on boards by sources such as Credit Suisse, Catalyst, and Harvard, suggest that women look at risks in a different way than men. According to the studies, women look at risk more holistically and ask more detailed questions on the issues. It is not surprising that women are populating the emerging risk and security committees of boards.

    Catherine Allen is the chairman and CEO of The Santa Fe Group, a strategic advisory group based in Santa Fe, New Mexico, that specializes in risk management, cybersecurity, and emerging technologies, as well as man- aging the industrywide Shared Assessments Program for Third Party Risk. She serves on the boards of El Paso Electric Co., Synovus Financial Corp., and Analytics Pros, as well as on the advisory boards of Houlihan Lokey and Women Corporate Directors. In addition to sitting on other committees, she chairs the security committee at El Paso Electric and sits on the risk committee of Synovus.

    This article was originally posted in the current issue of Directors & Boards.

    Press Release: Webinar to Expl...

    07-30-2015

    LockPath, Shared Assessments partner to provide third-party risk insights OVERLAND PARK, Kan.—Third-party risk management is becoming increasingly critical for businesses. Data loss and compliance [...]

    LockPath, Shared Assessments partner to provide third-party risk insights

    OVERLAND PARK, Kan.—Third-party risk management is becoming increasingly critical for businesses. Data loss and compliance incidents are frequently associated with a company’s business partners, and regulations are expanding to cover organizations’ third parties.

    Despite the urgency, many businesses struggle to establish a solid foundation for their third-party risk programs. To address the third-party management landscape, LockPath, a leading provider of compliance and risk management software, and Shared Assessments, the trusted source in third-party risk assurance, are partnering to present a webinar on establishing an effective third-party risk program.

    Tom Garrubba, a nationally recognized expert on third-party risk who currently serves as senior director of Shared Assessments, and Shawn Hickey, Solutions Manager at LockPath, will present a free 50-minute webinar, “Who owns third-party risk (and other questions)?” on Aug. 12 at 1 p.m. EDT.

    “From onboarding new vendors to assessing and re-assessing them for compliance with policies and regulations, businesses are facing an unprecedented time and resource commitment to adequately manage their third parties,” Garrubba said. “Luckily, there are best practices and techniques that can lessen that burden and improve risk management, which we will cover in the online session.”

    The webinar will address the following:

    • Establishing third-party risk management program ownership
    • Developing third-party policies, procedures and practices
    • Establishing a vendor inventory
    • 5 Strategic points to consider when developing a prioritization strategy

    “Breaches are often caused by a company’s third-party vendors, but it’s not the third party’s name that will make the headlines” Hickey said. “Companies must perform their due diligence on vendors, especially those that will have access to sensitive information, and then be sure to re-assess them on a regular basis.”

    Webinar registrants can pre-submit questions on third-party risk management to events@lockpath.com to be answered during the session. For more information and to register, visit http://go.lockpath.com/thirdpartyrisk.

    About Shared Assessments
    Shared Assessments Program members represent industry outsourcers, vendors, and assessments firms of all sizes that work together in a global, peer-to-peer community of information security, privacy, and third party risk management leaders. These thought leaders share best practices and ensure program tools are up-to-date and meet regulations and voluntary guidelines and standards. Online at: https://sharedassessments.org/

    Shared Assessments Media Contact
    Sarah Perry
    sarah@santa-fe-group.com
    602-441-1769

    About LockPath
    LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company’s flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

    LockPath Media Contact
    Danielle Valliere
    danielle.valliere@lockpath.com
    913-601-3544

    Data Bloat: An Information Gov...

    07-28-2015

    As follow up to my blog Cyber Insecurity in our new World of IoT, from my attendance at the Executive Women’s Forum Summit on Unintended Consequences: Internet of Things (IoT) and Big Data , I’d l[...]

    As follow up to my blog Cyber Insecurity in our new World of IoT, from my attendance at the Executive Women’s Forum Summit on Unintended Consequences: Internet of Things (IoT) and Big Data , I’d like focus on the growing Information Governance Obesity Challenge creating a Data Bloat for information risk and IT systems in today’s Big Data world.

    Now, when I hear the words “Obesity Challenge”, my first reaction was about the state of the weight of the average American. Americans rank #3 in the world for obesity for world populations, and the weight of the average American woman today is roughly 164 pounds, the same weight as the average American man in the 1960’s. While we may be taller as a species now, our diet has changed. In that same decade, homes had a dial-up phone, rabbit ears for Television, radio was king, and no one could have anticipated fifty years later what our data appetite would be for information and devices.

    With the explosion of the internet, digital media, the internet of things, data is proliferating faster than ever. The technology appetite has accelerated for Big Data not only by generations, but by the technology industry itself. In fact, it is estimated that Big Data drove over $34 Billion in IT spending. It is not just about the connections between systems, but how the technology itself is driving new opportunities for data usage, personalization.

    Gartner recently outlined the concept of Dark Data. Dark Data is all the data in an organization that is not a part of day to day operations. Gartner compared Dark Data to all the furniture and junk in your basement, or all the hidden food in the pantry that just continues to grow, taking up space.

    According to Wiki’s definition, Big Data is a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. This leads to key challenges in managing Big Data within an information governance program. I’ll try and keep the Data Bloat theme going as we need to factor into our information governance appetite, diet, and calorie plan how we collect and use information.

    What’s Your Organization’s Data Appetite Strategy?

    • Capture: How much data do you collect, consume on a daily basis?
    • Curation: Do you have a keep it forever mentality?
    • Storage: Do you know where your data is? Do you have dark data?
    • Search: How much wasted time do you spend searching for meaningful data?
    • Sharing: Do you have a matrix or math vectors for where the data is going and to whom?
    • Analysis: What is the expiration date for data value?
    • Visualization: What type of scale do you need to quantify the volume of data?

    Due to our drive for convenience, choice, personalization, we have become a nation of data hoarders using a keep it “just in case” storage mentality. We justify our approach since today storage is cheap but litigation can be very costly with a keeping data forever approach in an eDiscovery situation. In fact the value of data degrades over time, for meaningful data. It is the rare business model, like monitoring and measuring weather patterns since the beginning of time that require permanent data storage.

    Buying patterns from 15 years ago are not as valuable as measuring last holiday season to this as we shift to an online economy. Even from a consumer media perspective, data migration from VHS to DVD has been shifted to the web with streaming.

    Organizations have the same challenges of data stacks starting with physical files, to unstructured data, to databases. Building web tracking and online collection of data, builds big data lakes to surf and fish to find factoids, creating an almost Cyber-Fishbowl of monitoring.

    Three steps to implement your Data Bloat Diet Plan

      1. Implement the 80% rule – go after the data calories that give you the most impact.
      2. Eliminate “Convenience Copies” of data that add inches to your Data stack.
      3. Create a plan to find your Dark Data.

    Don’t be too IT-Centric – business systems and business processes are creating more data. At the end of the day it’s about a balanced diet. Collecting, Consuming, and Storing data for future use needs a calorie plan and a combination of exercise to eliminate unwanted pounds. Dark vegetables have the most benefits, and figuring out what data is not valued in your data to day operations can reduce your IT and business data bloat.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Shared Assessments Robin Slade...

    07-23-2015

    While in Singapore to present a Peer-to-Peer Session at RSA Conference Asia Pacific & Japan, Santa Fe Group, EVP and COO, Robin Slade was interviewed by Geetha Nandikotkur, Managing Editor, Asia & the[...]

    While in Singapore to present a Peer-to-Peer Session at RSA Conference Asia Pacific & Japan, Santa Fe Group, EVP and COO, Robin Slade was interviewed by Geetha Nandikotkur, Managing Editor, Asia & the Middle East, ISMG.

    Among the issues, Robin reported, is that the risk evaluation process followed today is inefficient and costly for all parties involved.

    Click here for the full interview.

    2nd Annual Vendor Risk Managem...

    07-21-2015

    Early summer 2015 is proving to be a busy one for those interested in cyber security maturity models, first with the June 30th publication of the FFIEC’s Cyber Security Assessment Tool (which incorp[...]

    Early summer 2015 is proving to be a busy one for those interested in cyber security maturity models, first with the June 30th publication of the FFIEC’s Cyber Security Assessment Tool (which incorporates a cybersecurity maturity model) and now with the release of the second annual Shared Assessments Vendor Risk Management Benchmark Study. Questions about the relationship between the two models are inevitable. While the FFIEC cyber security model aims to assess financial institutions’ cyber security readiness at high level, the Shared Assessments Vendor Risk Management Maturity Model – with its sharp focus on third party risk – does a deep dive into a single important component of cyber security, and is designed for use across all types of industries.

    The 2015 Study:

    This year’s study incorporates responses from more than 450 firms, and self-assessments were completed by C-suite executives (more than 25% of respondents), as well as IT, internal audit and IT audit vice presidents (about 15%) and directors (just over 50%). Several themes emerged from this year’s analysis:

    Vendor risk management programs require more substantive advances, especially outside of the financial services industry – Overall category maturity ratings of 2.3 on a 5-point scale for “Skills and Expertise” and 2.4 for “Tools, Measurement and Analysis” (both unchanged from 2014) serve as a warning sign that step function improvements are required to meet the challenges of today’s increasingly difficult security environment. This mandate is evident in recent regulatory pronouncements. Regulatory agencies in the financial services industry, most notably the U.S. Office of the Comptroller of the Currency, have asserted that “average” risk management no longer suffices; instead, financial institutions must enact the mind shifts, organizational culture work and behavioral changes needed to satisfy the “Getting to Strong” regulatory mantra. ((www.protiviti.com/en-US/Documents/White-Papers/Industries/Getting-to-Strong-What-Banking-Organizations-Need-to-Know-Protiviti.pdf))

    Vendor risk management programs within financial services organizations continue to be more mature compared to companies in insurance, healthcare and other industries – The financial services industry, which in 1999 was the first to establish a Coordinating Council for Critical Infrastructure Protection and Homeland Security in response to Presidential Decision Directive 63, remains ahead of other industries with regard to their vendor risk management programs. The insurance and healthcare industries – each of which operate under their own regulatory microscopes – continue to lag behind financial services organizations in fortifying their vendor risk management capabilities.

    Cybersecurity threats continue to be a daunting challenge – Cybersecurity threats are clearly on the minds of risk managers, IT functions and regulators. High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. These attacks are moving beyond the financial services industry where payments related breaches have been a recurring headline. The first half of 2015, for example, has seen several major health insurance breaches with records for more than 91 million subscribers compromised.

    For the first time this year’s analysis examined maturity ratings sorted by the seniority level of the survey respondent for both 2014 and 2015 data. For both survey years the study showed that the higher the level of the respondent the lower the score that individual gave on the firm’s self-assessment. Across all industries C-level respondents rated their firms’ overall maturity level as 2.3 in 2014 and 2.4 in 2015. Manager level employees rated maturity at just under 2.8 in 2014, and a little over 2.8 in 2015. In both years, Vice President level respondents were in between. These results foot with our expectation that the most senior levels of management will have both the best perspective on the effectiveness of their own enterprise risk remediation capabilities and the most up to date and wide ranging perspective on the external risk environment. That’s good news, because it shows quite clearly that executive management understands the scope of the vendor risk management work that needs to be done.

    Learn more and download the report.

    For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

    Cyber Insecurity In Our New Wo...

    07-13-2015

    I recently attended the Executive Women’s Forum Summit, in New York City, on Unintended Consequences: Internet of Things (IoT) and Big Data which enabled a strategic dialog for information security,[...]

    I recently attended the Executive Women’s Forum Summit, in New York City, on Unintended Consequences: Internet of Things (IoT) and Big Data which enabled a strategic dialog for information security, risk and privacy professionals navigating today’s changing digital landscape. In this two part blog series, I’d like to start a discussion on how both Big Data and the Internet of Things (IoT) is shaping our approach to both cyber-security and information governance.

    The starting word of the data seems to be UBIQUITY – everything is everywhere, everything is becoming connected, and the Internet of Things is introducing more things for security and privacy professionals to monitor and control. How do identify the perimeter when there are no boundaries in an IoT world?

    It’s not just technology geeks that are wondering. A recent survey showed that 74% of C-Level executives think IoT will play a larger role in the next 3 years. It is anticipated that there will be 40 to 80 Billion connected devices in next five years. IoT makes life more convenient, but gives threat actors opportunity to exploit in new ways. The bad guys are adapting real time and the technology and layers of third party components make it challenge to see through the fog in the cloud and figure out the right set of policies for both customers and employees. A scary study by Symantec of 60 IoT, found that 19% did not use even basic SSL.

    While founding father Benjamin Franklin was a lightning rod of invention, the Internet of Things explosion is becoming a lightning rod to electrify your privacy and security program. Benjamin Franklin was quoted as saying “By failing to prepare you are preparing to fail” and organizations that do not address IoT in their privacy and security policies are setting themselves up for risks of data leakage or data breach. The Internet of Things is putting Cyber Insecurity top of mind due to how challenging it is to think about the potential implications when seemingly benign devices can create a privacy or cyber risk:

    • How do you define a risk profile for LED Smart Lights that can be hacked and black out the lights in a home or place of business?
    • How do you classify and protect data when now farm equipment and tractors can collect data that can be used for understanding future commodity trading potential?
    • What are the risks when TV’s and Blue Ray devices can be vulnerable to Denial of Service Attacks?
    • How do you protect privacy when now even the tire sensors are your car can become mini-geo location devices?
    • How do you protect a car or home that can be vulnerable to hacks that automatically open locked doors?
    • How do you educate consumers in the “Internet of Me” to protect themselves from spear-phishing using data from Data Aggregators?

    There are no easy answers to these questions for both consumers who use IoT or systems that are connect. What you can initiate is a review of your current policies, monitoring systems, controls, and initiate an action plan based on how your organization leverages connected devices.

    Even the basics steps to security incident response, crisis management and simulations are evolving beyond routine tabletops due to digital evolution and IoT. The next generation of Security Tabletop exercises should be scenario based leveraging recent attacks to guide or direct the scope of the testing. Just like banking regulators are focusing on “stress tests” for fiscal soundness, the security incident and crisis communication needs its own “stress test” in todays’ Internet of Things playground. Conducting both simulations and crisis plans is not just about integration of social media, but practicing complex incidents that may be rooted deep within layers of systems that are connected. Practices and drills should focus on tactics, techniques, and procedures with a risk management focus.

    We are starting a new journey due to the Internet of Things that is only just beginning for security and privacy professionals. We have gone well beyond “Bring Your Own Device” – to a world where fraudsters and hackers are finding new ways to “Bring Down That Device.” Each IoT device is collecting data, accessing data, processing data, and we need secure ways to update that device to reduce risks when flaws are found or exploited. Bottom line, it will take time clear up the fear, uncertainty, and doubt for developing privacy and security programs in evolving to incorporate IoT and Big Data. Check in with the next blog that will explore the Data Bloat of Big Data.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Why You Need to Add Third Part...

    07-11-2015

    It's a daily occurrence now; storms that lead to major flooding, terrorism, outbreaks of infectious diseases, cyber hacks, and even political turmoil. With such events occurring with increased frequen[...]

    It’s a daily occurrence now; storms that lead to major flooding, terrorism, outbreaks of infectious diseases, cyber hacks, and even political turmoil. With such events occurring with increased frequency perhaps it’s time to reevaluate your business resiliency posture.

    On the surface, evaluating business resiliency is not as sexy as evaluating the constant threat landscape pertaining to network security, cyber threats, cloud computing, et al; however, overlooking the possibility of the business that can be lost in the event you or your key third party business partners or suppliers go offline due to such events can have disastrous effects.

    John Beattie, Principal Consultant with Sungard Availability Services points out that “gaining insight about a vendor’s business continuity and disaster recovery process is interesting, but not as important as understanding what you can expect from the vendor when a disruptive incident occurs within their organization”.

    Beattie adds some basic guidance that organizations should perform regarding third party risk:

    • Understand their specific recovery objectives for the systems and business functions that directly support the products and services you receive from them; and if they have been validated through rigorous testing; understand their procedures and capabilities for ensuring continuity of their information security and data protection controls should they invoke their IT disaster recovery plans; and
    • Develop specific strategies, plans and capabilities to address how your organization will respond to the loss of individual third party services (and perhaps even 4th party services) as well as other disruption scenarios such as the loss of IT services; the loss of a work place; and even for a reduction in available work force.

    On the topic of vendor selection and retention, Beattie mentions that organizations need to gather enough information so an informed decision can be made about how to address identified resiliency and recoverability risks, pointing out that a good start or basis is having an ISO 22301 certified Business Continuity program who’s scope includes all of the products and services received from that vendor “should carry a lot of weight during the vendor selection process” but validation of their resiliency is in order.

    As many organizations perform periodic business continuity and disaster recovery tests, the Federal Financial Institutions Examinations Council (FFIEC – Appendix J) and the Office of Comptroller of Currency (OCC Bulletin: 2013-29) have each laid out guidance to help financial organizations gain assurance that third party service providers have implemented solid business continuity and disaster recovery practices.

    The FFIEC defines business resilience as “the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity”. Defining additionally “It is more than disaster recovery, it includes post-disaster strategies to avoid costly downtime, the identification and resolution of vulnerabilities and the ability to maintain business operations in the face of additional, unexpected breaches”.

    The OCC’s Bulletin 2013-29 similarly recommends organizations “assess the third party’s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks.” The Bulletin further recommends that a “third party reviews its telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities”. Lastly, the Bulletin provides guidelines for stipulations in contracts for third parties to include:

    • Continuation of the business function in the event of problems affecting the third party’s operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks.
    • Stipulate the third party’s responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans.
    • Include provisions–in the event of the third party’s bankruptcy, business failure, or business interruption–for transferring the bank’s accounts or activities to another third party without penalty.
    • Requires the third party to provide operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented.

    It would be wise for any company, regardless of the industry, to utilize this guidance in their business resiliency strategies.

    Shared Assessments, a member-driven organization providing thought leadership in third party assurance, recommends organizations assess their third parties with probing questions – and evidence -regarding their business resiliency efforts such as:

    • The existence of a Business Resiliency program that’s been approved by management, communicated to appropriate constituents, and is periodically reviewed
    • A documented Business Impact Analysis
    • A formal process focused on identifying and addressing risks of disruptive incidents to the organization
    • Specific response and recovery strategies defined for prioritized activities
    • Business continuity procedures being formally developed and documented
    • Senior management’s role for the overall management of the response and recovery efforts
    • Identifying dependencies on critical third party service providers
    • Formal, documented exercises and testing programs

    In short, organizations need to ensure business resiliency is incorporated into their business model’s overall design as to diminish the risk of a service disruption and the impacts of those within their third party chain. Technology, business operations, and communication strategies that cover the enterprise should be included as these are all of paramount importance to a sound business resiliency strategy. Furthermore, this strategy should be assessed and if possible, tested, periodically.

    You’ll never know where the next “hit” is going to come from, but if or when it does, the efforts brought into it should certainly pay off.

    References and Resources:

    FFIEC Business Continuity Planning – Appendix J: Strengthening the Resilience of Outsourced Technology Services

    OCC 2013-29: Third Party Relationships – Risk Management Guidance

    Business continuity – ISO 22301 when things go seriously wrong

    Three Important Elements Your Business Continuity Plan Is Missing“; John Beattie;

    The Shared Assessments Program

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on Huffington Post blog.

    Press Release: Many Companies...

    07-08-2015

    Editor Contacts: For Protiviti: Kathy Keller (650) 234-6252 kathy.keller@protiviti.com For Shared Assessments Program: Sarah Perry, The Santa Fe Group, 602-441-1769, sarah@santa-fe-group.com or Lis[...]

    Editor Contacts:

    For Protiviti:
    Kathy Keller
    (650) 234-6252
    kathy.keller@protiviti.com

    For Shared Assessments Program:
    Sarah Perry, The Santa Fe Group, 602-441-1769,
    sarah@santa-fe-group.com or
    Lisa MacKenzie, MacKenzie Marketing Group
    (503) 705-3508, lisam@mackenzie-marketing.com or
    Kelly Stremel, kellys@mackenzie-marketing.com

    FOR IMMEDIATE RELEASE

    Many Companies’ Vendor Risk Management Programs Still Need Improvement,
    According to New Study from Protiviti and Shared Assessments

    ‘2015 Vendor Risk Management Benchmark Study’ shows third-party risk programs across industries lack maturity, putting data at risk; resources and new strategies are recommended

    SANTA FE, N.M. and MENLO PARK, Calif. – July 8, 2015 – With cyber-attacks and data security threats looming at insecure access points, the increased scrutiny of regulators and the focused attention of boards of directors, the outsourcing of critical services to third parties requires a robust vendor risk management program and stringent oversight – now more than ever. Yet the results of a new study suggest that many companies may be underperforming in these areas. Organizations must make improvements to their risk management programs in order to keep pace with the latest risks and challenges, according to the 2015 Vendor Risk Management Benchmark Study, released today by the Shared Assessments Program and Protiviti, a global consulting firm. To download a complimentary copy of the study, please visit www.protiviti.com/vendor-risk or https://sharedassessments.org/2015-benchmark-study/.

    In its second year, the Vendor Risk Management Benchmark Study examined information from more than 450 C-suite executives, risk management and audit professionals, who rated their organizations using the Vendor Risk Management Maturity Model (VRMMM), a benchmarking tool from the Shared Assessments Program that measures the quality and maturity of existing vendor risk management programs.

    Survey respondents were presented with eight categories of vendor risk management. For each component within the eight categories, respondents were asked to rate its maturity level as it applies to their organization on a maturity scale of 1 (lowest) to 5 (highest):

    Survey Chart
    (click to enlarge image)

    Initially, vendor risk management capabilities in organizations appear to be stagnating. Scores in half of the categories did not change from year to year, and the slight declines (-0.1) in the four other categories are not significant variations.

    However, these flat results do not necessarily mean that no progress has been made with regard to third-party vendor risk management. During the one-year period in between the 2014 and 2015 surveys, there was an epidemic of cybersecurity breaches, the February 2014 release of the NIST Cybersecurity Framework, and more oversight of IT security risk programs in general by both boards of directors and regulators. This increased regulatory focus on third-party risks means that organizations are now more aware of their own program’s strengths and weaknesses, particularly at the C-suite and board level. With greater clarity about what is required to minimize and mitigate cybersecurity risks, many respondents likely rated their capabilities lower even in the face of process improvements in their firms, and may also be setting a higher bar for what they deem to be mature levels of vendor risk management.

    “The increasing frequency and magnitude of cybersecurity breaches, along with recent and forthcoming regulatory actions, make it imperative that vendor risk management programs make a significant leap forward. This change requires fundamental alterations to strategies, processes and organizational culture,” said Rocco Grillo, a managing director with Protiviti and the firm’s global leader for incident response and forensic investigations. “The good news is that there is greater demand for building more robust vendor risk management programs. This issue is more frequently a part of the agenda for boards of directors, who are regularly seeking assurance from management that the appropriate steps are being taken to combat vendor risk.”

    Other Key Findings from the Survey

    • Vendor risk management programs require more substantive advances. The overall maturity rating for program governance in this year’s survey (2.7 on a 5-point scale –
      below the “fully defined and established” maturity level) should serve as a wake-up call that deeper changes are needed that reach into organizational culture and individual behavior, especially for financial institutions that are striving to satisfy the U.S. “Getting to Strong” regulatory mantra.
    • Vendor risk management programs within financial services organizations are relatively more mature compared to companies in insurance, healthcare and other industries. The 2015 survey results indicate that financial services firms continue to rank ahead of other industries with regard to their vendor risk management programs most notably in Program Governance, Vendor Risk Identification and Analysis, and Communication and Information Sharing. Financial Services organizations score on average more than a point higher in these categories. Perhaps most notable is the finding that the insurance and healthcare industries continue to lag behind financial institutions in fortifying their vendor risk management capabilities, considering the sensitivity of their data.
    • Policies, standards and procedures and contract management and criteria represent the most advanced components of current vendor risk management programs. These areas are ranked highest in terms of overall maturity among the eight program areas assessed in the survey. These two program characteristics are fundamental building blocks that can lay the groundwork for a more mature vendor risk management capability.

    “The study clearly indicates, across industries and leadership roles, that much work needs to be done,” said Gary S. Roboff, senior advisor with Shared Assessments. “Organizations are asking for more resources and effective, efficient strategies to manage third party risks, and this research tells us that the C-suite is aware of the need for continued vendor risk management improvement.”

    Resources Available to Learn More
    Protiviti will host a complimentary webinar on July 28, 2015 at 11:00 a.m. PDT, led by Grillo and Roboff and joined by a Fortune 500 financial services company guest speaker, to discuss the results of the survey and offer insights into what organizations can do to raise their vendor risk management maturity levels. To register, please click here. Additionally, Grillo and Roboff have recorded a podcast about the survey findings and their implications for businesses.

    To access a complimentary copy of the 2015 Vendor Risk Management Benchmark Study, please visit: www.protiviti.com/vendor-risk or https://sharedassessments.org/2015-benchmark-study/. The sites also host an infographic, a short video of the survey’s highlights and a benchmarking tool to compare the user’s results to the survey respondents’ results.

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at https://sharedassessments.org.

    About Protiviti
    Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

    Named to the 2015 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

    ###

    Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

    Editor’s note: infographic of survey highlights available in PDF or JPEG formats. Photos available upon request.

    Is a New Certification Program...

    06-26-2015

    Hacker data breaches that exploit vulnerable third party vendors dominate news headlines, boardroom discussions, and C-suite meeting agendas. As a result of the proliferation of such attacks, it has b[...]

    Hacker data breaches that exploit vulnerable third party vendors dominate news headlines, boardroom discussions, and C-suite meeting agendas. As a result of the proliferation of such attacks, it has become increasingly imperative for organizations to ensure successful evaluation, monitoring, and management of third party service providers that have access to systems and sensitive data. Such effective management requires special strategies, processes, and skills. Finding prospects who are truly proficient in third party risk management can be challenging. This problem is one of the key reasons that Shared Assessments developed and launched the first certification program focused exclusively focused on vendor risk management – the Certified Third Party Risk Professional (CTPRP) program.

    Shared Assessments CTPRP program has experienced tremendous success since its launch at the end of 2014. Shared Assessments has awarded more than 150 CTPRP designations to date. This certification is ideal for third party risk, procurement and compliance professionals, including business vendor managers, vendor and operational risk managers, vendor IT security managers, IT auditors/assessors, and IS professionals.

    To qualify, participants must possess a minimum of five years’ experience in a position that demonstrates proficiency in the assessment, management, and remediation of third party risk issues. Individuals without the prerequisite five years experience may use this workshop for training and education purposes and apply for certification once they have met the five year experience requirement.

    Upon successful completion of CTPRP training, individuals will have a working knowledge of third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and working knowledge of fundamentals of vendor risk assessment, monitoring and management. CTPRP designation validates the holder’s expertise, providing professional credibility, recognition, and marketability for those who achieve this level of certification.

    Don’t Miss Your Opportunity to Become Certified:

    To learn more or to register for an upcoming workshop and exam please contact Katherine Kneeland, Project Manager, The Santa Fe Group at Katherine@santa-fe-group.com or 330-794-7670.

    Katherine Kneeland is a Project Manager for The Santa Fe Group focusing on the development of the Certified Third Party Risk Professional (CTPRP) Program. Prior to joining The Santa Fe Group, Katherine served in the public sector as a Community Outreach Coordinator and managed a continuing education program for industry professionals.

    Three Tips for Business Associ...

    06-23-2015

    Some business associates (BAs) have been around a long time serving all or mostly healthcare clients. For those companies, the ins and outs of the HIPAA Final Omnibus Rule of 2013—which expanded the[...]

    Some business associates (BAs) have been around a long time serving all or mostly healthcare clients. For those companies, the ins and outs of the HIPAA Final Omnibus Rule of 2013—which expanded the definition of a BA and added new requirements—may be old hat.

    But many other companies outside the healthcare industry may not understand all the obligations related to being a BA. We’re talking about a cloud services provider, for instance, that is storing protected health information (PHI). Or a Web designer that has access to patient records when working on a clinic’s website. Any company that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity (CE) qualifies as a BA, along with those that manage PHI.

    Many of these companies may not even realize that they are considered a BA, or perhaps more likely, they know and push it out of mind because the risks seem remote (even if they’re not). BAs may also be overwhelmed by the complexity of complying with the Final Omnibus Rule, which includes separate HITECH Privacy, Security, and Breach Notification Rules.

    Here, then, are three tips to help BAs navigate the sometimes complicated waters of the Final Omnibus Rule and its specific guidelines for BAs.

    Tip #1: Know the Regulations

    Obvious, right? But if you’re a new BA or serve a limited number of healthcare clients, you may not have taken the time to read through the Omnibus Rule and understand all its requirements. You should.

    As a BA, you are subject to many of the same compliance requirements as CEs, and similar repercussions. The Office for Civil Rights can audit BAs for compliance, and if you fail to comply, you could face regulatory fines, civil money penalties, lawsuits, and corrective action plans.

    It therefore makes a lot of sense to know what the HITECH Privacy, Security, and Breach Notification Rules are, long before getting audited or suffering a breach. Yes, there are 57 requirements under the Security Rule alone, but you may already be in compliance with all or most. Just take the time to make sure.

    Tip #2: Know the Contract

    By legal definition, an organization can be a BA even without a BA contract with a covered entity or other BA. Those instances are rare, however. Usually, if you are a BA, you will have signed a contract—and you need to fully understand the terms of that contract.

    The contract should, for example, spell out how to coordinate breach notification activities. As a BA, you will be obligated to notify the CE if a breach occurs, but the timeframe for notification depends on the terms of your contract. The CE must notify the affected individuals, but you have to look through your contract to find out how those notifications will occur and who will pay for them.

    Tip #3: Have a Strategy to Assess Incidents

    Whatever the breach notification details of your BA contract, you first have to determine if an incident rises to the level of requiring notification to the CE. To make that determination, BAs have to work through the four-factor risk assessment process specified in the Breach Notification Rule. That process includes:

    • Identifying the nature and extent of the PHI involved
    • Identifying the unauthorized person who used the PHI or to whom the disclosure was made
    • Determining whether the PHI was actually acquired or viewed, or whether there was an opportunity for that to happen
    • The extent to which the risk to the PHI has been mitigated

    The CE will have the final say on whether individuals must be notified of a data breach, but the BA needs to determine which incidents to report to them—it certainly doesn’t look good to over report or underreport. And it looks even worse to be caught entirely unaware of this and other BA responsibilities.

    As president and co-founder of ID Experts, Rick is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents, identity theft, and medical identity theft. With over 30 years of experience in the technology industry, Rick leads and participates in several cross-industry data privacy groups, speaks at conferences and webinars, and regularly contributes articles to industry and business publications.

    Originally posted on the ID Experts blog.

    Containing Cybersecurity Costs...

    06-16-2015

    Looking for advice about how to contain cybersecurity costs? The Thomson Reuters Legal Executive Institute named the Shared Assessments Program Tools as a solution. Read Containing Cyber-Costs: The [...]

    Looking for advice about how to contain cybersecurity costs? The Thomson Reuters Legal Executive Institute named the Shared Assessments Program Tools as a solution.

    Read Containing Cyber-Costs: The Legal Industry Needs a Cybersecurity Audit Template to learn more.

    COMPLY-Checking Your Vendors&#...

    06-09-2015

    (Reuters) - A weak link in many financial advisers' cybersecurity plans is the outside companies that help run their businesses, such as payroll companies and computer-repair firms. Shared Assessment[...]

    (Reuters) – A weak link in many financial advisers’ cybersecurity plans is the outside companies that help run their businesses, such as payroll companies and computer-repair firms.

    Shared Assessments Steering Committee member, Rocco Grillo, Managing Director and Global Leader for Incident Response and Forensic Investigations, Protiviti, recently contributed to the article, COMPLY-Checking Your Vendors’ Cyber-security Practices by Reuters columnist, Jennifer Cummings.

    Click here to read the full article.

    Using Peer Collaboration to Ma...

    05-29-2015

    Today’s companies are outsourcing more critical functions as part of their business operations in today’s complex environment. Every member of the supply chain must be evaluated to ensure they are[...]

    Today’s companies are outsourcing more critical functions as part of their business operations in today’s complex environment. Every member of the supply chain must be evaluated to ensure they are properly protecting systems and data. With hackers specifically targeting third parties as a way to get to outsourcers’ data, this further emphasizes the need for rigorous information security and risk management programs.

    The service provider control evaluation process has long been inefficient and costly. The verification performed during the onsite assessment is a necessary component to ensure sufficient third party controls in place, but today this process is time and resource intensive, inefficient and a burden on both the outsourcer and the service provider.

    Professionals in finance/banking, healthcare, insurance, and retail discussed an innovative approach during The Shared Assessments Peer-2-Peer session I facilitated at last month’s RSA Conference: Can Peer Collaboration Be Our Next Best Practice for Risk Management? The discussion focused around using peer collaboration to perform assessments on third parties with common shared services. Many organizations share the same vendors, for the same common services; each historically conducting individual costly and time-consuming independent assessments of their service providers risk control environment. Until now…

    The Collaborative Onsite Assessment Program
    To help companies use peer collaboration to better manage vendor risk, we recently introduced the Collaborative Onsite Assessment program, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as the common onsite assessment vehicle. During a two-year pilot process, the AUP was augmented to ensure the existing procedures covered 100% of the control requirements of the participating outsourcers who were top tier financial institutions. The “Superset” AUP developed was then leveraged by multiple financial institutions to perform a shared onsite assessment of key service providers—one assessment of a single service provider by multiple financial institutions. Thus creating efficiencies and cost savings for all parties. Through this pilot process, the Collaborative Onsite Program built a stronger third party risk management capability without diminishing the ability to manage the service provider relationship. As the Collaborative Onsite Assessment Program is being rolled out to financial services, additional pilots are planned cross-industry.

    This powerful, new collaborative assessment tool has the ability to provide long-term cost savings and FTE efficiencies for both the service providers and financial institutions. Both sets of organizations will be able to spend less on assessments and more on maturing their risk management programs by limiting site visit and annual review man-hours. In addition, the service provider has found that the collaborative onsite assessment created a closer relationship with its clients.
    Shared Assessments is a member driven organization of industry, service providers, assessment firms and software providers who understand that third party risk management is not a competitive issue. These organizations understand the value of working collaboratively to develop best practices, processes and robust third party risk management tools. Using peer collaboration can be a cost-effective and efficient way to manage third party risk, strengthen vendor relationships, and protect an organization’s most critical assets.

    For more information about the Collaborative Onsite Assessment program, please read the Collaborative Onsite Assessment case study. Please visit the Shared Assessment website for more information.

    Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.

    Originally posted on the RSA Conference blog.

    The Next Generation of Third P...

    05-26-2015

    As a follow up to the 8th annual Shared Assessments Summit, the themes of governance continued to focus on third party risk, when I conducted a webinar hosted by the New York Stock Exchange (NYSE) Gov[...]

    As a follow up to the 8th annual Shared Assessments Summit, the themes of governance continued to focus on third party risk, when I conducted a webinar hosted by the New York Stock Exchange (NYSE) Governance services and sponsored by Prevalent.

    The focus on third party risk has shifted from a line manager to the C-Suite and Board of Directors, requiring organizations of all sizes to enhance their third party risk management program maturity.

    The current landscape for protecting data today requires third party risk programs to evolve to “The Next Generation” of third party risk oversight. While the name “The Next Generation” may bring up memories to Star Trek fans debating which era in the television series is the fan favorite, I’m in the core Star Wars camp who was wowed by the technology, vision, and sequencing in the Star Wars trilogies.

    Each new generation of movie fans saw new gadgets, new threats, and new technology, including new bad guys to battle in the digital landscape. Industry events over the past year have shifted our technology point of view, and require a new level of acumen, strategy, and response. From cyber security breaches, to vulnerabilities with funny names; the rise of social media influence is changing how organizations plan for third party risk. Big brand companies are facing a Cyber battle – with Death Star like precision, but without the full suite of tools and gadgets to help their companies defend the company brand. What was once a supply chain or IT Security vendor risk program has become a broad, umbrella governance model managing risks holistically.

    Evolving third party risk focus areas:

    • Expanded Control Considerations: The focus has shifted to depth, breadth, and security maturity of controls. The next generation goes beyond “Trust but Verify” to assess and ensure governance on security policy exceptions. Open source technology is pervasive and requires new levels of rigor for application security and infrastructure oversight. Heightened threat landscape brings vulnerability management to the next generation of white hat hackers.
    • Cloud Computing: Risk Assessment considerations need to shift from the older generation to the new generation of cloud technology. The acceleration of cloud computing erodes the old school concepts and practicality of perimeter security. The next generation third party risk professional needs to be equipped to understand the details of cloud layers, types of service models, and data/client resource segmentation.
    • Regulatory Compliance Factors: Non-IT risks for consumer protection and operational risk take third party risk from “vendor audits” to continuous monitoring of critical suppliers. The next generation of third party risk requires the incorporation of regulatory monitoring, regulatory research and analysis, and compliance management systems to address compliance readiness.
    • Professional Ethics & Business Factors: Oversight of ethics and compliance starts within the company culture. Business conduct and codes of ethics need to be in synch with marketing practices and selling models. The next generation of third party risk requires oversight on new business activities to ensure risk and compliance are addressed. Corporate social responsibility becomes a factor for reputation risk management within supply chains. Aggressive enforcement by CFPB, FCC, and FTC is accelerating the pace for organizations to address consumer protection compliance.

    Even the traditional audit frameworks for governance are going to the next generation with the updated COSO Framework for Cyber Security Risk Assessments. The COSO dialog is asking senior leaders to be introspective and really ask strategic questions about their organizational maturity for governance.

    • Are we focused on the right things?
    • Are you proactive or reactive?
    • Do we have the right talent?

    On-site assessments are moving from binary to maturity based self assessments, including the approach for service providers to engage in collaborative on-site assessments with a set of clients to minimize resource contention handling third party assessments. The next generation of third party approaches must blend or layer the independent testing of controls – to provide assurance while maximizing efficiency in the third party risk process.

    So whether you are a traditional Trekkie or in the Yoda camp, both genres valued the blending of technology with good old fashioned smarts with asking the right questions, trusting your judgment, and creating new battle plans. Each generation of the science fiction series, could not have foreseen the technology advancements in the last fifty years, but third party risk professionals will face the bigger challenges in the next five as technology and risk leaps at the speed of light.

    Playback of the NYSE recorded event, The Next Generation of Third-Party Risk Management, is available on the Prevalent web site

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Recently Released: Law Firm Br...

    05-19-2015

    The Shared Assessments Program is pleased to present a briefing paper based on the significance of information security and privacy controls on law firms as third party service providers and collabora[...]

    The Shared Assessments Program is pleased to present a briefing paper based on the significance of information security and privacy controls on law firms as third party service providers and collaborative opportunities for resolution.
    This paper focuses on the issues law firms are facing as they adapt to providing a secure IT environment that meets increasingly stringent third party risk assessment requirements; and solution-building efforts to establish robust industry-wide program recommendations regarding management of IT security, data, resiliency, and privacy risk.

    As the trusted source in third party risk management, the Shared Assessments membership works collaboratively to develop improvements to third party risk processes and methodologies and create efficiencies.

    To access the briefing paper, please click here.

    New Study: Healthcare Vendors ...

    05-18-2015

    The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, by the Ponemon Institute and ID Experts was announced and we wanted to share some interesting findings. For the first time, C[...]

    The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, by the Ponemon Institute and ID Experts was announced and we wanted to share some interesting findings. For the first time, Covered Entities and Business Associates were surveyed, revealing the differences and similarities these organizations face when protecting healthcare data. The results indicate that Business Associates are unprepared.

    Key findings include:

    • Criminal attacks are up 125 percent since 2010 and are now the leading cause of data breach.
    • 65 percent of covered entities and 87 percent of BAs experienced electronic information-based security incidents over the past two years.
    • 54 percent of healthcare organizations experienced paper-based security incidents; 41 percent of BAs experienced them.
    • One third of respondents don¹t have an incident response process in place. (31 percent of CEs, 35 percent of BAs.)

    According to the FBI, criminals are targeting the information-rich healthcare sector because individuals* personal information, credit information, and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold.

    The Fifth Annual Study on Privacy & Security of Healthcare Data can be downloaded at: www2.idexpertscorp.com/ponemon.

    * Source: blog post written by Doug Pollack at ID Experts: https://www2.idexpertscorp.com/blog/single/fbi-discusses-cyber-threats-to-healthcare-data

    How Do I Get This Up and Runni...

    05-16-2015

    I have one of those "a-funny-thing-happened-to-me-on-the-way-to-the-dry-cleaners" stories and it just so happens to be a perfect segue from my previous blog as we now switch focus to targeting alignme[...]

    I have one of those “a-funny-thing-happened-to-me-on-the-way-to-the-dry-cleaners” stories and it just so happens to be a perfect segue from my previous blog as we now switch focus to targeting alignment and support of your key initiative or action within the organization.

    I received a call from a Senior Audit Manager from a major retail company who wanted to discuss with me an implementation strategy proposal to her C-suite for a third party risk program… and get my opinion on who should “own” said program. After asking questions to gain some background into her company’s key organizational components (e.g., compliance, audit, procurement, etc.), current departmental staffing levels and risk tolerance, we discussed what I thought would be best for her proposal to target the C-level executive’s needs.

    So what did I recommend? Let me preface by explaining that each organization is different and there are usually quite a number of variables, such as budgeting, staffing, and subject matter expertise that come into play here. It’s also important to have a solid understanding of the benefits and hindrances of both centralized and decentralized program models before selecting the right one for your organization.

    Instituting centralized programs

    The primary benefits of having a third party risk program in a centralized operation tend to adhere to the following:

    • The program will be known to all stakeholders across the enterprise (i.e., business units, C-level executives, etc.).
    • It offers a one-stop shop for other stakeholders, such as knowing who to contact with questions or concerns.
    • It tends to apply a consistent methodology and execution strategy.
    • Processes and practices have a sound structure.

    Though these attributes sound impressive organizations must also be aware of common challenges that come with a centralized program; most notably:

    • In this case, it may become difficult for her team to know all that is or will be going on with larger third party service providers as multiple projects are employed with various scopes and data elements.
    • Her team may learn that smaller vendors managed by large business partners may refuse to cooperate, thus getting “lost in the shuffle” as they try to convince your organization that they are operating under the auspices of all parent-vendor policies and procedures – even when they are not.
    • Additionally, her staff may not truly understand why the business unit has selected or is using a particular vendor.

    Managing decentralized programs

    In a decentralized environment, organizations primarily maintain control in one business unit while ceding to that business unit’s various responsibilities. Notable attributes in a decentralized program in this third party risk management case include:

    • Personnel performing the third party risk management program functions will reside in multiple business units (silos), reporting via a solid-line up to the head of the business unit and via a dotted-line into her.
    • Stakeholders (i.e., the business unit) want control over vendors connected to their department; thereby, handling or overseeing the assessment could take control away from her – the real owner of the program.

    Decentralized programs also face common challenges that organizations should be aware of; most notably:

    • A centralized policy is usually missing and assessment methodologies and execution strategies tend to be inconsistently applied including the use of different tools for assessments.
    • Knowledge-sharing outside of the business unit, with respect to vendors or the results of their assessments, is often non-existent. This includes key assessment reports to senior level management in other business units who may be affected by their own projects with a problem vendor.

    Which program model is right for your organization?

    In the case of the Senior Audit Manager and her company, I recommended a centralized approach. Why? Not only because of the items previously mentioned, but also because she has enough well-trained staff to execute this program successfully, she is willing to take ownership of the program, and she is willing to work with the business units to ensure coverage across the enterprise.

    When implementing any program, you should thoroughly study all options and expectations. In this case, there really is no “better” option when choosing between a centralized or decentralized program models; only the one you believe will operate best in your organization’s environment.

    Be sure to run your plan by your peers, staff and any business units you may need support from for additional feedback to prepare for any questions and answers prior to taking it up to the next rung on the management ladder. In your meeting with senior management, be sure to adequately present the whys and hows up front so you can get to the heart of the matter as well as any additional support that may be required from other business units. Once approval is received, request these senior leaders to assist you in propagating your plan and program across the enterprise. (NOTE: This step is critical in order to ensure there are no surprises within the business units as well as with their existing or potential vendors.)

    Also, in reference to last month’s column, be sure to begin writing policies and procedures and get them approved quickly as they will be the blueprints paramount to your program. Review policies and procedures at least annually for updates or changes. Programs are dynamic and always subject to change in order to address new challenges.

    Remember, what matters most in implementing your program is communicating why it needs to be done and how it will be done. Ensuring that all relevant stakeholders across the enterprise understand the goals and execution plan breeds continued support and compliance for the program, ultimately leading to its success.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on Huffington Post blog.

    New Year, New Landscape...

    05-14-2015

    Shared Assessments gathered another impressive set of risk professionals and regulators at the Eighth Annual Shared Assessments Summit to address this year’s theme, Third Party Risk Assurance: Every[...]

    Shared Assessments gathered another impressive set of risk professionals and regulators at the Eighth Annual Shared Assessments Summit to address this year’s theme, Third Party Risk Assurance: Everything Old is New Again.

    Third party risk management may not be a new concept, but with emerging regulations, technologies and standards, more organizations are faced with adopting both traditional and modern ways of managing that risk. Organizations must be willing to evolve to meet new risks and challenges, such as new payment methods, security risks, data breaches and more.

    Though the risk management landscape is ever-changing, we were fortunate to find some of the most knowledgeable, forward-thinking experts in the industry to share their insights and solutions during this year’s Summit. Here’s what we learned during our discussions:

    The increasing emphasis of hackers against third parties:
    A fundamental point made over and over by Summit speakers was the extent to which the threat landscape is changing. Hackers routinely seek to exploit the weakest entry points and more often, third parties are proving to be that bull’s-eye, as in the Target breach. The 2014 Sony hack was used as an example of how the consequences of a breach can reverberate through organizations, resulting in changes to corporate leadership, business plans and reputation.

    Managing for risk rather than compliance:
    Another point made by multiple speakers was that compliance does not automatically equate to effective security. Too much focus on compliance without a strong risk management culture can result in overconfidence, increased risk and successful attacks. Participants were asked to search for ways to weave security into the fabric of their organizations and to move away from a “check the box” compliance mind set.

    Governance issues:
    Effective security requires the right governance process; that is, good Board/management cohesion, the right tone at the top and shared values across the enterprise. There was a robust discussion about the role of the Board of Directors, senior management, and – in particular – the role of the Chief Information Security Officer (CISO) and the relationship of that position to the Chief Information Officer (CIO) and the Chief Security Officer (CSO). A major focus was the role of the CISO in effective Board communication, and although most speakers and panel participants favored a strong Board role for the Chief Information Security Officer, that perspective was not universal.

    National Institute of Standards and Technology (NIST) security guidance:
    Another focus of discussion was the difference between regulatory regimes in different vertical sectors and even within sectors. There was a consensus that NIST Cybersecurity Framework can help build a unified perspective across industry sectors, especially where sector-specific regulatory guidance is not robust.

    Optimizing third party risk mitigation:
    Collaborative Onsite Assessments Program participants reviewed pilot engagements and reported: (1) that these assessments met 100 percent of their institutional needs and, (2) that results were as good as or better than their own proprietary approaches.

    Leveraging resilience to ensure positive outcomes:
    Business resilience has been the subject of recent regulatory guidance and was a focus of several speakers and panelists. Participants stressed the importance of organizational resilience to good event outcomes; without it, event outcomes are at risk.

    Identifying your firm’s Crown Jewels
    A number of speakers asked the question, “Do you know what your firm’s Crown Jewels are and how they are secured?” Whether those Jewels are critical intellectual property (the formula for Coke or Pepsi), key business plans (a major pending acquisition), or something else, exposing those secrets can have serious business consequences. Protecting them is a mission-critical responsibility.

    Exploring vendor risk management beyond IT:
    A number of speakers and panelists raised the subject of third party operating risk management and how that subject fit within the Shared Assessments Program. Panelists spoke about the need for an international vendor management operational risk standard. Staff noted a number of areas where the program was expanding to incorporate operational risk related issues with the expectation that operational risk inclusion will accelerate.

    More from the Eighth Annual Shared Assessments Summit

    Special Thanks to our Knowledgeable Speakers
    This year’s Summit brought together some of the most diverse and talented risk management and business professionals from across the nation. We are grateful to all of these wonderful speakers for their contributions to our workshops, panels and discussions:

    • Catherine A. Allen – Chairman and CEO, The Santa Fe Group
    • Seth Bailey – Director of Information Security, Iron Mountain
    • Gloria Banks – Chief Compliance Officer, Synovus Financial
    • Phil Bennett – Director of Information Security Specialist, Capital One
    • John Burcham – Corporate Counsel, EZShield
    • French Caldwell – Chief Evangelist, GRC, MetricStream
    • Jonathan Dambrot – CEO and Co-Founder, Prevalent Inc.
    • Vicki Dean – VP of Member Relations and Sales, The Santa Fe Group
    • Angela Dogan – Senior Project Manager, The Santa Fe Group
    • Kevin Dunn – Director of Strategic Accounts, Veracode
    • Christine Ferrusi Ross – Partner and SVP, Neo Group
    • Tom Garrubba – Senior Director, The Santa Fe Group
    • Adam Greene – Former HHS, Partner, Davis Wright Tremaine
    • Rocco Grillo – Managing Director, Protiviti Inc.
    • William Henley – Associate Director of Technology Supervision, FDIC
    • Lester Hill – National Bank Examiner and Policy Analyst, Office of the Comptroller of the Currency (OCC)
    • Brad Keller – Director of Third Party Risk and Compliance, Prevalent Inc.
    • Mary Kipp – President, El Paso Electric
    • Katherine Kneeland – Project Manager, The Santa Fe Group
    • Jason Maloni – Senior Vice President and Chair of Litigation Practice, Levick
    • Hara Marano – Editor-at-Large, Psychology Today
    • Shashank Modak – Director of Global Technology Control Programs, JPMorgan Chase & Co.
    • John Nye – Independent Risk Management Consultant
    • Joseph Prochaska, Jr. – Board Member, Synovus Financial Corporation
    • Ron Ross – Fellow, National Institute of Standards and Technology (NIST)
    • Robin Slade – EVP and COO, The Santa Fe Group
    • Linnea Solem – Chief Privacy Officer and Vice President of Risk and Compliance, Deluxe Corporation
    • Atul Vashistha – Chairman and CEO, Neo Group
    • Mike Ware – Managing Consultant, Cigital
    • Charlotte Whitmore – Former CMO and Board Member, Analytics Pros Inc.
    • Joan Woodard – EVP Emeritus, Sandia National Laboratories

    We are Surrounded by Industry Champions – VIP Reception Award Winners
    Over the last year, the Shared Assessments Program has grown to accommodate more than 140 members. More and more industry champions are joining together to minimize risk and make our world a safer place to do business, so we thought it only appropriate to use a portion of the 2015 Summit to celebrate several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. Congratulations to the following individuals on a job well done:

    • Andy Hout, Consultant, Third Party Risk and Compliance, Prevalent, Inc. – Winner of the Shared Assessments Founders Award in recognition of our deep appreciation for unparalleled dedication to the Shared Assessments Program.
    • Jonathan Dambrot, CEO and Co-founder, Prevalent, Inc., Brad Keller, Director, Third Party Risk and Compliance, Prevalent, Inc., Shawn Malone, Vice President, Business Compliance, Radian Group, Paul Poh, Vice President-Technology, Fiserv, and Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corp., – Winners of the Special Achievement Award in recognition of our sincere appreciation for the outstanding commitment to the development of the Shared Assessments Certified Third Party Risk Professional (CTPRP) Program.
    • Shashank Modak, Managing Director, Global Technology Control Programs, JPMorgan Chase & Co., – Winner of the Innovator Award in recognition of our utmost gratitude for his outstanding leadership and innovation in the third party risk management industry.

    We ♥ Baltimore
    On behalf of the Shared Assessments team, the 240 Summit attendees and 10 sponsors, the Santa Fe Group donated $5,000 to support and thank the Baltimore Development Corporation and the Baltimore City Fraternal Order of Police, aiding volunteers and public servants who dedicated themselves to supporting and protecting the city. We hope our humble gift will help support the peace and rebuilding efforts in the beautiful city that hosted our 2015 Summit.

    Our Sponsors are the Best
    Thank you to all of our sponsors and exhibitors who made this year’s Shared Assessments Summit the best yet!

    Bitsight Logo (R) w Tagline

    BRINQA LOGO smalledit

    79

    copytalk logo

    Deluxe-logo-transparent-SML

    33787cec-7428-4e56-a209-7484df8259c4

    lockpath

    metricstream

    observeit

    SFG logo

    RSAM

    SFG logo

    SecurityScorecard_Logo_Horiztonal

    logo-veracode

    2016 Summit Opportunities
    Interested in being a sponsor or exhibitor at next year’s Summit? Contact Vicki Dean at vicki@santa-fe-group.com or 602-740-1040 to learn more.

    Press Release: Small Business ...

    05-13-2015

    PRESS RELEASE All SBFE Communications: info@sbfe.org For Shared Assessments, contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-225-0725, lisam@mackenzie-marketing.com or Kelly Stremel, ke[...]

    SBFESA-logo

    PRESS RELEASE

    All SBFE Communications: info@sbfe.org

    For Shared Assessments, contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-225-0725,
    lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com

    Small Business Financial Exchange Builds Evidence-Based Collaborative Vendor Risk Program

    Protocols Based on Shared Assessments Tools;Results Deliver
    A Repeatable, Consistent Process For Third Party Vendors

    SANTA FE, N.M. and CLEVELAND — May 13, 2015 —The Small Business Financial Exchange (SBFE), the leading source of U.S. small business credit information, and member of the Shared Assessments Program, has developed a vendor risk program to address data security needs for third party due diligence and oversight. Based on proven industry third party risk management tools from Shared Assessments, this program will provide SBFE an evidence-based security protocol to ensure robust third party oversight during the entire vendor relationship lifecycle.

    Following a thorough review of the Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, SBFE’s working group members agreed the methodology would provide for an objective, consistent and repeatable onsite assessment protocol and would be key for pre-contract due diligence and ongoing monitoring.

    “We need a comprehensive methodology that gives us the ability to both examine the existence of IT data, privacy and security controls, and also verify the organizations adherence to those controls. Leveraging the AUP for due diligence as a standardized framework allows us to rigorously assess third parties in advance of and throughout our relationship with a vendor. The AUP from Shared Assessments is central to that process,” said Pete Tannish, director of information security at SBFE.

    “We allowed each small business lender in our working group to align the Collaborative AUP against its own corporate requirements to ensure it met their particular needs,” added Tannish. “This collaborative approach is what makes the Shared Assessments program and the Program Tools a vital part of the financial services industry.”

    “We applaud SBFE’s stringent due diligence processes to ensure its SBFE Certified Vendors™ are putting the necessary risk controls in place in advance of contracting with them,” said Robin Slade, executive vice president and chief operating officer, The Santa Fe Group, the managing agent for the Shared Assessments Program. “This effort reinforces SBFE’s commitment to fostering robust third party risk oversight.”

    Standards-Based Program Tools Empower Vendor Management Confidence
    The Shared Assessments Program Tools were developed by its members and are based on international, federal, and industry standards, regulations and guidelines, in order to ensure sensitive outsourced data is protected. The standards are based on ISO-27001/27002, and are aligned with PCI DSS, HIPAA/HITECH, COBIT, NIST Cyber Security Framework, Federal Reserve, Office of the Comptroller of the Currency OCC-2013-29, and FFIEC guidance.

    “We have enabled the financial services industry to build a strong third party/vendor risk management capability, using a substantiation-based, standardized and efficient methodology. Now, multiple organizations can assess vendors that provide common services creating significant cost savings and efficiencies for the industry,” added Slade.

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at https://sharedassessments.org.

    About Small Business Financial Exchange, Inc. and SBFE, LLC (SBFE®)
    The Small Business Financial Exchange, Inc. and SBFE, LLC (collectively known as SBFE) is the leading source of US small business credit information. Established in 2001 as a non-profit organization, today the exchange houses information on about 24 million businesses in its SBFE Data Warehouse™, and enables blind information exchange among its Members. Through its resources, relationships and SBFE Certified Vendors™, SBFE makes possible innovative risk management solutions by providing industry insight and analysis of aggregated small business financial data to its Members. SBFE sets the highest standards for data quality, integrity of use, data governance and information security for SBFE Data™ to protect its Members and their customers’ information. SBFE is the only Member-controlled organization of its type and is a trusted advocate in promoting the needs of the small business lending community. For more information, visit www.sbfe.org.

    ###

    Collaborative Onsite Assessmen...

    05-07-2015

    The Shared Assessments Program is pleased to present a case study based on our first in a series of pilots for our Collaborative Onsite Assessment program. The goal of this pilot program is to creat[...]

    The Shared Assessments Program is pleased to present a case study based on our first in a series of pilots for our Collaborative Onsite Assessment program.

    The goal of this pilot program is to create the opportunity for multiple industry outsourcers to perform a collaborative onsite assessment of a single service provider, performed by an independent assessment firm, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as a common onsite assessment vehicle. The case study outlines the methodology used and the results of this first pilot.

    As the trusted source in third party risk management, the Shared Assessments membership works collaboratively to develop improvements to third party risk processes and methodologies and create efficiencies.

    To access the case study, please click here.

    Putting Reputational Risk in P...

    05-05-2015

    Each year there is an annual Summit for third party risk professionals to network, train, and learn from each other and discuss with regulators how to manage third party risk and protect their company[...]

    Each year there is an annual Summit for third party risk professionals to network, train, and learn from each other and discuss with regulators how to manage third party risk and protect their company’s brand and assets. This year, the Shared Assessments Summit 2015 was held in Baltimore, MD. Being in Baltimore for the entire week influenced the conference dialog on risk management and crisis communication.

    Being under curfew during a state of emergency, with visible National Guard presence showed how quickly a situation can morph or change under the influence of social media. The concept of a VUCA world – Volatile, Uncertain, Complex, and Ambiguous, has never been so clearly brought to life than by last week’s events in Baltimore and solidarity protests in many urban cities across the United States.
    For the third party risk professionals attending the risk conference the governance themes focused on these topics:

    • Ethics, Compliance, and Operational Risk
    • The Heightened Expectations for Boards of Directors
    • Breach Incident Management
    • Impact of demographic shifts on our culture

    Shift in perspectives played out in the streets
    The intent of our week was on how organizations need to mature their third party risk management processes – not just due to cybersecurity, but for broader risks of regulatory compliance and operational risk. However I saw a dialog shift in the perspectives from both presenters and attendees as the lessons learned and risk management themes were played out on the streets, on the media, and how quickly the information sharing shifted the speed of response, or interpretation of speed of response. The crisis communication training session became a more hands on application of lessons learned in real or reel time as the attendees got updates on the situation from their smart phones.

    Even the session on demographics and how the millennial generation thinks differently about risk and communication was driven home by the escalated events. Actions planned by high school students to do a “purge” quickly escalated when combined with the factors being discussed regarding the Freddie Gray situation. For the residents of Baltimore the numbers were striking: 400+ arrests, 113 police officers injured, 200 small businesses lost or unable to reopen, 144 vehicle fires, and 19 burning structures. For the companies located in Baltimore with executives monitoring the situation, key processes were triggered to enact crisis communication teams and deployment teams for incident response.

    An organization can only lose its reputation once
    The media points and counterpoints frame up the debate of public policy and reputation risk. In fact, 90% of executives surveyed by Forbes Insights last year on behalf of Deloitte stated that reputation risk is their key business challenge. The essence of a corporate reputation is about what a company “is”, what “it does”, and how “it does it.” An organization can only lose its credibility once, and it takes time and resource to recoup lost trust. Deloitte issued an updated Directors Report to focus on governance on the top governance issues for 2015.
    Communication during crisis even more crutial

    How do you develop a strategy in a VUCA world or in a VUCA crisis? As any situation develops, organizational crisis teams near clear roles for navigation and to think clearly in a crisis. While individuals can become desensitized to recent data breach incidents, the intense pace by which situations can escalate due to social media requires a different leadership approach to managing risk. Communication in a crisis becomes even more critical.

    While our conference attendees were focused on an analysis of the Cyber Security breaches of 2014 and the resulting implications for Executives and Boards of Directions, we also internalized these perspectives to the evolving situation.

    Key takeaways
    Key “nuggets” from our conference speakers that I jotted down as most memorable takeaways to apply back into my organization included:

    • Build a plan for the risks you don’t expect
    • Remember that hope is not a strategy
    • Frame the narrative when sharing bad news
    • Tell a Story – and build your own story arc
    • Know the media cycles for when to share updates
    • Speak like The Choir – all singing from the same song sheet
    • Operationalize risk management

    I co-facilitated a pre-conference workshop on “The New Normal” for third party risk, and unfortunately that “tagline” became an often used phrase by local and national reporters as we got hourly and daily updates on the situation. For corporations the VUCA factor of social media factor and quick to judgment by the public, increases the importance of reputation risk management. “The New Normal” for reputation risk is not only a faster pace, but competing or opposing strategies to be able to handle situations that come out of left field.

    Due to the city-wide curfew, conference attendees stayed at the hotel, and continued the dialog on what they learned this week, not only by academic sessions but watching the events unfold in basically our back yard.

    From the Social Media Mom, to the community regrouping together to quell the protests, each day was a new day in a VUCA world. There will be a series of debates on response from government, academia, media, law enforcement and corporations on what to learn from the Baltimore 2015 riots. Reputation risk will clearly be top of mind for Boards of Directors and Executives in cities across the nation in the coming weeks.

    From a personal view, the experience was historic to see how quickly the situation began to change conversations – and I even got to meet CNN’s Anderson Cooper in the proces

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    PCI and Tomorrow’s Payments ...

    04-30-2015

    Every so often it’s useful to sit back and reexamine a subject from a 40,000 foot perspective. In the last six to eight weeks, three unrelated items have caused me to do just that as I think about s[...]

    Every so often it’s useful to sit back and reexamine a subject from a 40,000 foot perspective. In the last six to eight weeks, three unrelated items have caused me to do just that as I think about security issues in the payments card arena, never an easy subject even in the best of circumstances. Event number one was the March publication of Verizon’s annual PCI Report, which showed, once again, that even firms who did relatively well in their annual examination could not maintain PCI compliance over a longer term. Event number two was a March 11th blog post by BankInfoSecurity’s Executive Editor Tracy Kitten in which she asked the question: “What are the card brands going to do to ensure merchants are secure and breach-related losses and expenses are covered?” Event number three was not even directly related to payments – it was a published report that Anthem Blue Cross – which recently suffered a major data breach affecting 78.8 million people – was unwilling to allow the U.S. Government’s Office of Personnel Management’s Office of Inspector General (OIG) to perform “standard vulnerability scans and configuration compliance tests” this coming summer, after having refused the OIG that same permission in 2013. ((Anthem Refuses Full IT Security Audit,” HealthCareInformationSecurity, March 3, 2015))

    Let’s take these three items in order. Verizon did have some good news to report and the company’s 2015 PCI analysis showed improvements in compliance for many areas. For example, compliance improved for eleven of the twelve PCI DSS requirements (the average improvement was 18 percent), and those improvements continue a long term trend. However, the single area that declined was an important one, requirement 11, testing security systems. Verizon found that only 33% of firms met that requirement in 2014, down from 40% one year earlier.

    Much more disturbing to me were two additional headline findings from the report: first, four out of five (80 percent) of firms who had passed a PCI exam were NOT compliant six months later at their interim evaluation (see Table 1, below). Second, just 28.6 percent of companies with a successful PCI validation were still compliant one year later. Although both of these statistics were improvements compared with past performance, they tell a chilling story about real world merchant security and the inability of most firms to move beyond a compliance check list mind set toward a culture characterized by the pursuit of continuously successful security hygiene. In a world where security breaches make headlines with regularity, this is a very troubling reality.

    Screen Shot 2015-04-30 at 11.15.42 AM

    Source: Verizon 2015 PCI Compliance Report, March 2015

    This state of affairs has been acknowledged by the card brands, most recently in late March, by Ellen Richey (Visa’s Security Chief) at a conference in Washington, D.C. Richey noted that among the most common problems are completing relatively basic steps such as changing default device passwords (maintaining default passwords makes it easier to put malware on a device). How big a problem are default passwords? Trustwave’s Charles Henderson gives one perspective using VeriFone POS devises as an example, noting that VeriFone has had a well-documented default password since at least 1990. Henderson says that when TrustWave does a POS audit, “90 percent of the VeriFone card readers we test have that [default] password, and that’s just one vendor, and that’s just one example.” ((“Why POS Malware Still Works,” BankInfoSecurity, 3-24-15))

    Against this portrait of so many firms seemingly unable to maintain even basic elements of payments security, it’s difficult for me to interpret an increasing number of merchant statements questioning the value of chip card/EMV implementation at the point of sale. For example, The Merchant Advisory Group’s VP, Liz Garner, spoke recently about EMV implementation saying, “what’s the point in implementing this now when the methods are likely going to be changed again?” Implementation, she said, would be, “extremely costly, extremely disruptive and extremely complex across the board. With our folks there is a lot of uncertainty of its value, because of the availability of other types of technology that are better.” ((“Bankers Frustrated by Retailers’ Foot-Dragging on EMV Upgrades” American Banker, 3-29-15))

    With that perspective, let’s look at the issue Tracy Kitten raises in her March 11th blog. Her question about why regulators aren’t challenging card brands to help merchants stay secure and cover any breach related expenses was raised in the context of what the blog suggests is a “broken payments infrastructure” that the card brands are seeking to prolong. So, is the payments infrastructure broken? We all understand that the payments infrastructure is in a period of rapid transformation. No one, not the card brands, not banks, not merchants, not regulators, believes that the legacy magnetic stripe environment at the point of sale is sustainable, or that online payments security levels are near adequate to deflect a coming storm. Everyone understands, given the whack-a-mole nature of fraud, that as mischief at the physical point of sale is reduced it will move to the online and mobile environments – and everyone understands that as payment mechanics in general are improved, fraudsters will look for other ways to exploit the payments system, as they have already with registration fraud on Apple Pay. Given the observations of TrustWave, Verizon and others, it seems clear to me that far too many merchants have not yet embraced a full commitment to achieve an adequate threshold level of digital payments security no matter what tools are available. And the retail community is not alone. ((“Anthem Refuses Full IT Security Audit,” HealthCareInformationSecurity, March 3, 2015))

    In early February, Anthem Blue Cross reported that it had suffered a major data breach, perhaps (according to Adam Krebs) beginning as long ago as April 2014. This breach exposed customer names, dates of birth, social security numbers, health care IDs, home addresses, email addresses, employment data, and even income data. The breach affected more than 79 million people, both current and past customers dating back to 2004. So it was a considerable surprise to read on March 4th that the U.S. Government’s Office of Personnel Management’s (OIG) had been denied, for the second time, after requesting it be allowed to complete a limited scope audit. An OIG spokesman was quoted as saying:

    “What we had attempted to schedule for the summer of 2015 was a sort of ‘partial audit’ – what we call a ‘limited scope audit’ – that would have consisted only of the work we were prevented from conducting in 2013. So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests.” ((“Anthem Refuses Full IT Security Audit,” HealthCareInformationSecurity, March 3, 2015))

    Anthem’s unwillingness to engage constructively with its customers about its internal IT security effectiveness is disturbing. Any bank doing business with Anthem that had agreements meeting OCC and FFIEC contractual standards would have a clear right to audit and access to the company’s own IT audit reports. Anthem’s attitude is one more indication that too many companies don’t yet accept what’s required to maintain proper security hygiene in today’s environment. And with the kind of PII being stolen in this and similar breaches (for example, Premera Blue Cross) it will be easy for fraudsters to establish an ever increasing number of synthetic identities, which are difficult for FIs (and others) to detect and defeat.

    If firms across the economy are finding it so difficult to protect their customers from the consequences of unwelcome intrusion, can PCI ever result in a significantly improved security environment? Increasingly, I’ve come to the conclusion that consistent PCI compliance is beyond the real world ability of too many retailers and, therefore, is unlikely to result in material improvement without a different enforcement regime. I believe more rapid evolution of our payments infrastructure is essential to achieve step function security progress across all payment channels. So from 40,000 feet, here is my own sense of some required steps, all in the spirit of devaluing payments related data, sorted by stakeholder:

    Steps to Better Payment Security

    Brands

    • Move away from chip and signature EMV and require online Chip and PIN.
    • Mandate end-to-end encryption.
    • Set a firm sunset date for magnetic stripe card issuance/replacement.
    • Require tokenization in-application and online.
    • Work with all payments stakeholders to develop a more open payments Tokenization standard.

    FIs:

    • Require dynamically authenticated customer payments registration.
    • Embrace online Chip and PIN.
    • Speed EMV Card Issuance.
    • Sunset magnetic stripe card issuance/replacement.

    Merchants:

    • Speed EMV Acceptance.
    • Adopt EMV tokenization specification now, and in parallel work with all payments stakeholders to develop a more open tokenization standard.
    • Devote substantially more resources to improving digital payments security; recognize incremental expenses as a basic cost of doing business.

    Regulators:

    • Encourage development of an open payments tokenization standard.
    • Examine all payments stakeholders, including, selectively, merchants. The Consumer Financial Protection Bureau (CFPB) would have the authority to perform payment security related merchant examinations, perhaps against a set of PCI derived requirements. These examinations could help to establish a more effective enforcement regime and better motivate substantially improved and sustainable security hygiene.

    Does PCI have a role going forward? Because the standard is perhaps the industry’s best payments-specific security framework, PCI should not and will not go away. And the PCI standard seems the best basis of a merchant payment security regulatory examination protocol, perhaps administered by the CFPB.

    I believe the industry has to fundamentally devalue the payments data fraudsters seek across all channels, much more quickly than I might have expected even six months ago. That will require taking steps, such as sunsetting magnetic stripe card acceptance, sooner rather than later, and will require a degree of collaboration among payments stakeholders that we have not seen in some time.

    For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

    The Cybersecurity Panic Room...

    04-21-2015

    The concept of a panic room is a fortified room in place in a private home or business to provide refuge or hiding from a home or business intrusion. Panic rooms tend to contain technology to contact [...]

    The concept of a panic room is a fortified room in place in a private home or business to provide refuge or hiding from a home or business intrusion. Panic rooms tend to contain technology to contact law enforcement or medical resources, and resources to sustain basic resource needs until help arrives. While panic rooms in residential areas bring up images of the elite homeowners; for corporations the focus is more on a refuge for key executives for physical security break-ins or intrusion. In today’s cybersecurity intrusion, where is the virtual panic room? Is there such a thing, and why does it feel so out of control?

    The first quarter of 2015 resulted in more industry focus on cybersecurity, malware, threats with compromised credentials, and vulnerability management. According to the Identity Theft Resource Center, an estimated 86 million records including credit card, debit card were compromised.

    Verizon released their 2015 PCI Compliance Report with interesting results on the current state of payments security. The Payments Card Industry Data Security Standard is planning a 3.1 out of band update to PCI standards as a result of the 2014 increase in vulnerabilities like Heartbleed and Poodle. Payments Security Compliance is not an annual event or hurdle, but needs to be embedded in the DNA of each organization in how it operates 365/24/7.

    5 Scary Factoids

    • 67%- in 2014 2/3rds of organizations surveyed did not adequately test the security of all in –scope systems
    • 4 out of 5 companies fail at interim assessment – demonstrating a lack of sustainability of controls
    • PwC reported in a survey of 9,700 companies that’s they’d detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66% since 2009
    • 45% of Americans say that they or a household member have been notified that their credit card information had been compromised
    • 69% of consumers would be less inclined to do business with a breached entity

    Even Money Magazine is weighing in on the data breach with their April edition, highlighting for consumers what to do after a data breach. It’s all about putting it into perspective, and taking a risk based point of view vs. having a panic attack. Consumers may be facing media fatigue or despair at the daily onslaught of the most recent cyber risk or breach. Their report outlined a few basic reminders to help consumers downgrade from panic to managing their risk and putting some element of control back into their lives.

    5 Tips to Help Consumers

    • Pay the most attention to any breach or compromise that contains high risk data like your SSN. This data element is a master data element to identity fraud, and opening accounts in your name.To provide the optimum reduction in your panic levels, freeze your credit with the agencies and put yourself in control for any new credit accounts
    • You change the batteries in your smoke detectors annually – you renew your insurance annually.Make a schedule to review and change your passwords starting with the accounts that have the most risk to either financial data or personal data. Don’t create your own panic situation by sharing passwords across applications. When you get the notice from one company you won’t reminder that is the same password for another account.
    • Know the difference between your credit and debit card. Consumers can be put into a false sense of security since payment acceptance of both types of cards is simple – legal rights for dispute differs between the types of cards. Always check your statements for any fraudulent or unrecognized transactions.
    • Don’t respond to unsolicited emails that are likely phishing campaigns to collect “more” data about you, that when combined with prior data compromised help fraudsters take additional fraudulent action. Updates to security credentials are requested by legitimate organizations after a successful log on or periodic basis and not via outbound email campaign. Fraudsters are simply exploiting consumer panic.
    • Don’t be led into a false sense of security by credit monitoring which only alerts consumers to certain types of fraudulent activity. It is easy in today’s automated payments space to not pay attention to details, but check your account statement frequently to look for fraudulent transactions and report it to the financial institution.

    Bottom line – there are not any easy answers, and really no safe panic room to hide in until the cyber- threat goes away. We are in a new era of digital fraud, cybersecurity, and our technologies and customer education strategies need to help navigate consumer panic in times of crisis.

    For me, at work I’m going to consider how to break the challenge into the building blocks of security and privacy fundamentals to get to consistency and sustainability of controls. At home, I’m going to follow my own advice and create a prioritize list of where I need to decrease my own risk. Then I’m going to hunker in and eat some popcorn while watching the downloaded movie Panic Room and see how the bad guys get trapped. Maybe I’ll start to write the screenplay about the movie sequel called the Digital Panic Room in our not so distant cyber future.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    How Do I Get My Program Up and...

    04-08-2015

    So, you just walked out of a meeting with the C-suite and you've been tasked to implement a new program across the organization. You get back into your office and reality sets in as you mumble to your[...]

    So, you just walked out of a meeting with the C-suite and you’ve been tasked to implement a new program across the organization. You get back into your office and reality sets in as you mumble to yourself, “How do I start this?”

    I have been getting this question for years from professionals tasked to implement similar programs (most notably, third party risk management programs) which are required to address not just internal compliance concerns but regulatory ones as well. I quickly realized it was far more beneficial to write down something simple for them that could be easily remembered and used as a guide instead of having them take copious notes of my monologue. What I derived at (with guidance from CVS Health’s then CPO Ken Mortensen) was the following Order of Implementation formula that anyone stumped by such a task could quickly reference:

    P = p1 (p2 + p3)

    Let’s review the components and put them into their proper context:

    • P – the Program you plan to implement
    • p1 – the policy
    • p2 – your processes
    • p3 – your practices

    Now, recall from your basic algebra class the “order of operations” (that is; parenthesis first, then left to right) and you’ll begin to see why the formula is developing a solid track record as the Order of Implementation when instituting a new program.

    Order of Implementation
    Following the Order of Implementation, it’s essential to focus first on establishing and documenting your processes (your p2). Processes are a series of documented actions or steps that are taken in order to achieve the objective for your program. These are the whos, whats, wheres and whens for the program and these need to be documented, filed for ease of access, reviewed periodically and modified when augmentations are required.

    Next, let’s look at your practices (p3) which are your way of “doing things.” These are items that you or your team performs on a daily or normal basis. Though these don’t necessarily need to be documented, these must be consistent and understood by your management and even other business lines if required.

    Now, when you put your processes and your practices together (that is; p2 + p3) you’ve probably noticed these become your operating procedures for executing your program. This is what your compliance folks and regulators will most likely want to review for soundness, if and when they darken your door.

    Lastly, we have your organization’s policy (p1) which is the course or principle of action adopted or proposed by your company. Though these are generally communicated by the C-suite and are referred to as “guidance,” not following the policy usually results in a disciplinary action, including termination, in some cases.

    Pitfalls of Not Following the Formula
    Many people have tried to implement their programs by enacting their policy (p1) first; this almost always turns out to be a mistake. There are many reasons why this is the case but the most common tend to be either (A) organizations want to put their strongest efforts into creating the policy first — viewing it as an easy win to show to compliance officers or regulators (i.e., “We have to show we have policy for doing this”), or (B) the policy becomes too detailed, often having p2 and p3 embedded into it, thus making it unreadable and unsustainable as new processes and practices are added or when existing ones change.

    The biggest danger most commonly witnessed in implementing p1 first is that once the policy is in place, these organizations then tend to hide behind the policy as an excuse for not having to go into further detail as to the inner workings of their program. Remember, compliance — and more importantly, regulators — want to see the entire picture in order to get a true gauge as to a program’s functionality and later on, its maturity. This means you must have guidance and evidence to back up your p2s and p3s.

    Another pitfall I’ve seen, though not as common, is once an organization has established and documented their processes and practices (p2s and p3s), they have either failed to establish a policy or the policy is hanging in limbo awaiting further review by either the C-suite executives or legal counsel. I’m sure we’ve all either been in a situation or seen a department head that when told to comply with a program has retorted to saying, “show me the policy.” To avoid this trap, be sure to have your policy readily on file after you’ve established your p2s and p3s and have it communicated throughout the enterprise and understood by all appropriate business leaders. By failing to do so the organization has created a “paper tiger” effect; a program without any teeth.

    Getting it Right the First Time
    We are all cognizant as to the importance of getting our programs off on solid footing and the Order of Implementation formula (aka: Garrubba-Mortensen formula) can assist in providing high-level guidance to help ensure you’re setting the basic groundwork the first time around.

    In upcoming columns, I will continue this discussion on governance models, touching on the successes and challenges of implementing both centralized and decentralized programs.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on Huffington Post blog.

    Social Media Should Require a ...

    04-02-2015

    The usage of social media has shifted with customer adoption. The growth of applications and consumers joining the social media bandwagon has influenced how consumers leverage technology; interact wit[...]

    The usage of social media has shifted with customer adoption. The growth of applications and consumers joining the social media bandwagon has influenced how consumers leverage technology; interact with friends, family and coworkers, and purchase with brands they trust. Pew Research Center estimated in 2014 that 73 percent of Americans over age 18 use social media, and many consumers use more than one social media channel. Social media has become a shiny new toy for marketing teams to reach out to customers.

    Social media is a very complicated digital landscape. Banks use social media for customer experience outreach, but also to acquire new customers and market their financial products and services.

    Regulators have put out a safety warning to ensure that risk and compliance teams are addressing consumer protection and regulatory compliance in their social media governance program. According to the published FFIEC guidance, social media is defined as, “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.” The broad nature of how social media can be used varies based on the strategy or goals to be reached.

    Managing social media requires synthesizing different goals for driving engagement, managing content, enhancing reputation and driving results. Financial institutions may use social media for a variety of purposes, including marketing, incentives, new account applications, feedback, PR/brand awareness, customer service and consumer education.

    Understanding Social Media Compliance Risks
    The pace of adoption and advancements in technology require an update to social media governance strategies to address key social media compliance risks. Operational risk for social media can focus on several key risk areas:

    • Data leakage
    • Internet threats and vulnerabilities
    • Regulatory compliance and eDiscovery
    • User behavior

    Social media strategies tend to originate in marketing communications or brand strategies. As usage transforms with adoption of mobile payments and digital payments, social media compliance needs to be integrated into traditional privacy and security oversight and education programs. Social media by its very nature promotes the sharing of information, which can create risks for disclosure of confidential information. The perceived lack of control and speed to which information can go viral can create risks for defamation or libel risks without effective monitoring and oversight functions. The cybersecurity risks highlighted by recent hacks has created a focus on vulnerability management. Data leakage risks require a partnership between information security and marketing teams on how to minimize technology risks to the organization based on how social media applications are designed, implemented and maintained.

    Compliance and legal risks in social media can originate from violations or non-conformance with laws, rules and regulations. In addition, a financial organization using social media can find their organizations violating or non-conforming to internal policies and procedures if they have not identified the cross linkages to their internal privacy, security, and compliance policies. Bottom line, creating an approach for managing social media compliance requires a holistic viewpoint to look across multiple operational risk focus areas.

    Ten Simple Do’s and Don’ts in using Social Media
    If using social media to market specific financial products or originate accounts, the bank must take steps to ensure advertising, account origination and document retention comply with applicable consumer law and internal policies or accountholder agreements.

    1. Don’t forget the details – Disclosures on fees, APY, interest rate and terms need to be accessible
    2. Don’t rely only on pop-ups – Disclosures contained in web pop-ups are discouraged as they could be blocked by consumer device settings
    3. Don’t forget to display compliance logos – Insurance memberships or fair lending display requirements apply to social media for deposit and lending products
    4. Don’t be vague in the offer – Make sure your advertising for deposit accounts is not misleading or could misrepresent the deposit agreement.
    5. Don’t forget records retention – Creditors must preserve prescreened solicitations even through social media
    6. Do be clear and conspicuous – Place disclosures as close as possible to relevant claims
    7. Do display accurate information – Make sure electronic advertisements with triggering terms display key disclosures like minimum balances
    8. Do update your privacy policies for social media usage
    9. Do address potential or perceived discrimination – Ensure social media lending promotions would not discourage on a prohibited basis
    10. Do leverage technology – Advertisements should be mobile optimized to ensure clear messaging

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Voice Privacy: An Emerging Con...

    03-17-2015

    We tend to think of conversations as ephemeral. If a conversation is sensitive, we stop typing and start talking. Our long history of telecommunication regulations has led us to believe our conversat[...]

    We tend to think of conversations as ephemeral. If a conversation is sensitive, we stop typing and start talking. Our long history of telecommunication regulations has led us to believe our conversations are safe, protected, regulated.

    And yet some conversations that feel ephemeral aren’t. With the advent of smart phones, we have stopped simply talking through our devices and started talking to our devices. And here is where things get complicated.

    When we talk to our virtual assistants (e.g., Apple’s Siri, Amazon’s Echo or Microsoft’s Cortana) those conversations are recorded and kept. How long and for what purpose varies from company to company. What is clear is that you have limited control about what happens to these recorded conversations.

    Prior to the advent of virtual assistants, the vast majority of voice conversations were not recorded. We have customer service and regulated industries recording our calls for “quality assurance,” “training” and/or “compliance” purposes. As much as we may not like having those conversations recorded, we have been willing to make the trade – in part — because it represents a small percentage of our total conversations.

    That is now longer true. More and more of our conversations are being recorded without our truly informed consent or choice. The advent of the virtual assistants is just the first wave of recorded voice. We are quickly leaving the realm of keyboard and mouse as our primary input technology to a world of voice as the interface to the Internet. In short, all future applications will need to address the issue of recording human voice and how to handle it.

    Given this how rapidly this new interface is emerging, it is time to make the voice privacy problem clear and explicit. How is voice different from symbolic data?

    The short answer is: Voice contains our identity. Hear a person talk and you can identify him/her. Not only that, you can identify their intent, humor, use of sarcasm. Voice is a far richer data set than text. Consider the impact a voice recording can have in a court proceeding versus an email. With voice, there is no more wiggle room. The jury will know if you were not kidding.

    From a strategic perspective, there is some good news. Voice data is not yet being collected en masse. We have a chance to think proactively and begin putting programs in place.

    From a risk management perspective, it is important to be aware of the issue and start asking questions of your executive management about how your corporation handles voice data that is recorded today. Key questions to ask are:

    • How do we currently handle the capture of customer conversation?
    • How do we use that information specifically?
    • Do we have any applications that use voice as an interface?
    • Does our data destruction policy cover voice information?
    • Do we give our customers a choice of having a conversation recorded or deleted?

    The last question is there to start a strategic conversation. As more customer inquiries originate online and may use voice or video, there is an opportunity to allow the customer to opt out of recording. This “opt out” option may serve as a way to garner consumer trust and allow your organization to be an early mover in the “privacy as loyalty” world that is quickly emerging.

    The opportunity to garner consumer trust and loyalty by taking a lead position on voice privacy is at hand. To help illustrate this point, let’s look at two different corporate approaches to voice privacy. Amazon allows Echo consumers to delete voice records online through their account management settings. Apple doesn’t not allow consumers access to their voice recordings and holds the original voice data for a minimum of 6 months and then claims to “anonymizes” the data. The archived voice record is used, according to Apple, to improve its algorithms and functionality.

    If we look through the lens of power, the contrast in these two corporate stances is stark. Apple holds all the power. If you use Siri, Apple defines how it will use your voice and for what purposes. If you don’t like the terms, your only recourse is to not use Siri.

    In contrast, Amazon does indeed record your voice and use it, but it gives the consumer sovereignty over that data ultimately. If you are concerned or uncomfortable, you can delete your voice data. The power is more balanced between Amazon and its consumer.

    From a brand perspective, which of these two corporate approaches engenders more consumer trust and loyalty?

    Ultimately, the solutions to voice privacy will come from a combination of businesses investing in consumer trust and government regulations catching up with the wild, wild west of Silicon Valley. The prevailing winds are favoring a “Privacy Spring” as consumers are becoming increasingly vocal about the personal toll of the recent data breaches and resulting identity theft. The real question is: On which side of history does your corporation wish to be?

    E. Kelly Fitzsimmons is a well-known serial tech entrepreneur who has founded, led and sold several technology startups. Currently, she is the co-founder and director of HarQen, named one of Gartner’s 2013 Cool Vendors in Unified Communications and Network Systems and Services, and co-founder of the Hypervoice Consortium.

    The Football Approach to Tackl...

    03-12-2015

    The legendary Green Bay Packers coach Vince Lombardi was famous for his "Gentlemen, this is a football" speech at the beginning of each season. This return to fundamentals served his team well over th[...]

    The legendary Green Bay Packers coach Vince Lombardi was famous for his “Gentlemen, this is a football” speech at the beginning of each season. This return to fundamentals served his team well over the years–they won five NFL championships, including two Super Bowls.

    Businesses need the same back-to-basics approach when managing security risks to their data. This may seem counter-intuitive given the sophisticated nature of threats surrounding us — nations are hacking nations and corporations are hacking corporations. Data breaches are everywhere as evidenced by the numerous financial and retail breaches that have occurred over the past two years and security experts predict a similar trend for healthcare in 2015.

    Regulators are seeking assurance that proper security controls are in place both inside an organization and among its vendors. For instance, the Office of the Comptroller of Currency (OCC) in their bulletin OCC 2013-29 have told the financial institution boards of directors that they are responsible for identifying critical vendors and validating their data protection measures. It comes down to this: either companies will police themselves and their vendors, or the regulators will swoop in and do it for them.

    Getting Back to Basics

    Despite advancing threats and regulatory scrutiny, we need to return to what football coaches would refer to as “basic blocking and tackling” — in the data security world, this means instituting time-tested privacy and security practices that, if applied correctly, will work today and into the future. Here are my four favorite basic blocking and tackling techniques that will serve any organization well:

        1. Identify everyone in your organization who has access to your data. Yes — everyone. Since departments continuously share data you have to assume anybody has or can obtain access to data at any point. The reality is that most breaches happen inside an organization. This could be by an unhappy or financially strapped employee looking to sell data on the dark net (i.e., the black market) or someone who has changed roles within the organization and their previous access has not been removed. These users and their roles should be reevaluated and approved periodically by appropriate management. Employees should be continuously educated on what they are to do if they find themselves accessing data that is not part of their job description and understand there may be consequences for inappropriate access. Be sure to perform reviews for all data regardless of what type of data it is.

        2. Know where your data is and how it is accessed. It’s easy do this exercise if all processing and storage is done in-house, but this is rarely the case. I’ve encountered many companies of various sizes who truly can’t account for all of the locations their data may reside and how it is accessed. Third parties play a role in this dilemma as the location of the data (e.g., backups, redundant sites, Cloud, etc.,) and how it is accessed (say, support from personnel working from their home instead of a secured facility)may change without the third party notifying your organization.
        3. Ensure your vendors secure your data with equal or better security than your own. Most small and many mid-size vendors still lack appropriate levels of security across their enterprise. While a case can be argued as to why this is so, it certainly doesn’t leave you off the hook. Outsourcing a task does not mean outsourcing the risk. With this being the case you need to validate their controls by having an assessment performed by qualified personnel. Furthermore, at least annually, perform analysis as to the scope of work being performed by the vendor and evaluate if the data elements provided are truly required for their tasks (for example, does the vendor really need access to your customer’s social security data).
        4. Utilize data encryption whenever you can. Data — especially sensitive data — should always be encrypted wherever it is stored. Furthermore, sensitive data should never be unencrypted on portable devices (and yes — that means laptops too). A good rule of thumb for reference on encryption and portable drives is the state regulation Massachusetts State law 201 CMR17.00 entitled “Standards for the Protection of Personal Information of Resident of the Commonwealth 201 (more commonly known as “Mass201” or “CMR17” in data privacy circles) which directs data to be encrypted on any portable device. While it may be costly for you and your vendors to do so, the cost of not encrypting data, either through lost business, fines from regulators, or anticipated class-action lawsuits, could be much higher. Remember, regulators claim their right to investigate your third parties, even if they themselves are not in a regulated industry.

        Share your game plan with your management

        Given today’s threat-filled landscape, no data is ever 100 percent secure. But by getting back to “basic blocking and tackling” by implementing simple or even mid-level controls, you can minimize and even mitigate a high percentage of the chances and affects of a breach. Taking such steps consistently, and monitoring your results, will further prove to your executive management, the board of directors, and to regulators, that you are in lock-step with your organization’s security objectives and will give you additional leverage to focus and tackle more complex initiatives such as addressing your cybersecurity risks.

        Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

        Originally posted on Huffington Post blog.

    Press Release: 10 Tips to Addr...

    03-05-2015

    PRESS RELEASE Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-225-0725, lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com 10 Tips to Address Latest Third Party S[...]

    PRESS RELEASE
    Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-225-0725,
    lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com

    10 Tips to Address Latest Third Party Security Risks:
    Payment Systems, Data Breaches, Cybersecurity

    Experts Discuss an Ever-Changing Threat Landscape; Share Insights on Third Party Oversight and How to Manage an Effective Vendor Risk Management Program

    Santa Fe, N.M. — March 5, 2015 — Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations. New regulations, technologies, standards, and security threats require organizations to implement robust vendor oversight to meet and stay ahead of the latest risks and challenges from new payment methods and systems, data breaches, and cyber attacks. Shared Assessments, a cross-industry, member-driven organization focused on third party risk management, asked leading experts to offer new strategies and best practices that address the changing risk management landscape, especially when it comes to the storing, handling and managing access to sensitive data. Experts offer these top 10 tips:

    1. Hackers are using your third parties to get to your data.
    Understand the risks of outsourcing functions and make sure that you’re comfortable with their privacy and security posture, in advance of executing the relationship.
    Catherine A. Allen, chairman and CEO, The Santa Fe Group

    2. Ensure your third parties perform sufficient background checks on their workforce.
    The workforce continues to be one of the largest security vulnerabilities. Are you comfortable that the third party you are contracting with has performed sufficient background checks on all members of its workforce who will have access to your sensitive data, and is requiring its subcontractors to do the same?
    Adam Greene, partner, Davis Wright Tremaine LLC

    3. Proactively plan for third party data compromises.
    Many organizations are not prepared to manage their own incidents and cyber attacks—let alone plan for third party incidents and attacks. The same due diligence that organizations apply to their own incident response plans must be applied in this critical area of managing sensitive data outsourced to third parties, including demonstrating how they are protecting the data, maintaining a mature incident response plan, testing the plan, and providing strong contractual service level agreements to report compromises back to the organization.
    Rocco Grillo, managing director, Protiviti Inc.

    4. Implement a holistic approach to vendor risk management.
    Assessing and managing vendor risk is an ongoing process at each phase of the lifecycle of the third party relationship, from onboarding to ongoing monitoring, to exit strategies. Programs should adopt an approach that brings together all of the parts of an organization that play a role in third-party risk management, to drive a holistic approach to vendor risk assurance.
    Mary Kipp, president, El Paso Electric

    5. Don’t overlook nested relationships.
    Understanding how your service provider is protecting its relationships with other parties and the potential impact to your sensitive data is critical. As this dependency will only increase, organizations will need to manage these relationships intelligently, being diligent in evaluating and determining what additional parties are involved in the service provided; the level of risk involved; and how they can ensure the protection of payment card data wherever it may travel—including locations such as backup contingency for the service provider directly.
    Troy Leach, CTO, PCI Security Standards Council

    6. Know your vendor.
    This is essential for managing the risks holistically throughout the third party relationship lifecycle. One critical part of this practice is to perform a vendor risk assessment to identify, mitigate, and monitor security risks based on the organization’s control objectives. Applying industry standards will enable the organization to achieve efficiency and scalability in the implementation.
    Lin Lu, managing director, Deutsche Bank

    7. Define a comprehensive set of security safeguards for your data.
    You cannot outsource your security responsibilities with regard to protecting corporate data that is critical to your mission and business success. Defining a comprehensive set of security safeguards for the protection of such data and obtaining verifiable evidence that the selected safeguards have been effectively implemented, increases the level of transparency and trust between consumers and producers.
    Ron Ross, NIST Fellow, National Institute of Standards and Technology

    8. Don’t treat all third parties with the same risk perspective.
    Third party risk is not created equally. Define criteria to classify your service providers by risk or criticality, and focus oversight efforts. Make sure you define and drive your third party program, leveraging tools to support your objectives versus letting a tool drive your third party risk strategy.
    Linnea Solem, chief privacy officer and vice president-risk/compliance, Deluxe Corporation

    9. Factor in risks.
    Often in offshoring and outsourcing, companies account for operational or technical risks but do not factor in location risks. Also, companies factor in and monitor operations and service risk but do not factor in and monitor people-related risks. Monitoring risks is a key capability that risk managers need to either create themselves or buy. This capability needs to be real-time to be adequate and effective.
    -Atul Vashistha, chairman, Neo Group

    10. Detect and share information about cyber threats.
    With a rapidly changing cybersecurity threat landscape, it is important to influence your vendor community to actively participate in Information Sharing & Analysis Centers (ISACs) to continually detect and share information about cyber threats. The more information organizations share, the more resilient all of our IT security programs will be.
    Brenda Ward, director, global information security, Aetna

    Shared Assessments Summit 2015 to Explore Additional Insights on Vendor Risk Management
    Additional vendor risk management insights and strategies will be discussed in detail at the 8th Annual Shared Assessments Summit 2015, taking place April 29-30, 2015 in Baltimore. Key topics at this year’s Summit include:

    • Governance and Oversight—An Old Concept with a New Landscape
    • The Learning Curve: Heightened Expectations and the Board’s Role in Risk Management
    • The Changing Payments Landscape: Impact of Recent Rapid Technology Changes on Risk Monitoring and Mitigation
    • Breach Incidents and Management
    • The Impact of Demographic Shifts on Technology Development, Corporate Management, and Risk Exposure
    • Software Application Security and Cybersecurity: Impact on Third Party Risk Management
    • Vendor Risk Management—Keeping Our Eyes on What Matters Most
    • Collaborative Onsite Assessments
    • Third Party Oversight

    For more information and to register, please visit: https://sharedassessments.org/shared-assessments-summit-2015/.

    About the Shared Assessments Program

    The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at https://sharedassessments.org.

    Staying Strategic with Third P...

    03-02-2015

    Banks have an opportunity to not only specify and assess controls, but also inspire a strategic and robust approach to risk management. Over the past year, the OCC, the FRB, and the FDIC have all rel[...]

    Banks have an opportunity to not only specify and assess controls, but also inspire a strategic and robust approach to risk management.

    Over the past year, the OCC, the FRB, and the FDIC have all released updated guidance on managing third party risk. One focus of this guidance is the identification of “critical” vendors and board-level approval, which highlights the importance of understanding how third parties expose the banks they serve to privacy concerns and operational risk. The question isn’t, “What happens to the third party if there’s an incident?” Rather, it’s, “What happens to the bank(s) served if there’s an incident at the third party?” The importance of this distinction is obvious, but too often overlooked by those tasked with managing third party risk.

    As an assessor, it’s easy to focus on the third party under review while ignoring the dynamics of the relationship between that third party and the business process they serve within your organization. Outside of an organization’s senior ranks, it’s rare to find individuals who understand key processes from end-to-end, including the roles played by vendors and other third parties. In this light, the recent theme in regulatory guidance is both strategic and timely. In addition to prescribing expectations for vendor due diligence, the new guidance should have the positive effect of influencing banks to put their vendor risk management programs into better context within their own business risk.

    Nevertheless, many banks still act tactically when it comes to assessing and monitoring how third parties manage risk. As an example, our organization was recently asked to provide an official response describing how it dealt with the Shellshock vulnerability. Frankly, this isn’t the right question.

    2015 Lending Outlook

    Heartbleed, Shellshock, and POODLE have gotten more than their fair share of press over recent months. But if an organization only addresses the vulnerabilities that are featured by the mainstream press, it’s doomed. The Common Vulnerability Exposure (CVE) database, operated by MITRE Corporation (a federally funded, nonprofit organization), aggregates and standardizes reporting on vulnerabilities. The CVE database recorded over 7,200 vulnerabilities during 2013, and as of October 15 has recorded over 6,000 new vulnerabilities already for 2014. With a tempo of approximately 20 new vulnerabilities every day to consider and, if applicable, mitigate, IT organizations have to treat vulnerability management as a short cycle control or even a continuous control if they’re going to adequately protect the systems, data, and business processes they support. The question isn’t, “What did you do about Shellshock?” Instead, the correct question is, “How do you manage vulnerability reports by the thousands each quarter – and do so without disrupting business operations?”

    The Gramm Leach Bliley Act (GLBA) of 1999, section 501 (b) Safeguards Rule that went into effect during 2003, kicked off the current third party risk management frenzy by requiring banks to not only implement a security plan for protecting customer information, but also flow that plan down to their third parties by way of contractual obligation and assessment. Since that time, regulatory guidance has continually increased the scope of these programs to include broader topics of risk, in particular drawing attention to operational risks that threaten the resiliency of the banking system itself.

    Perhaps more valuable than the guidance is the example set by the seemingly organic maturation of that guidance over the past decade. The regulatory mission in this case is one of “public health” and its objective is to drive a minimum standard of risk management capabilities across a wide community. Being examined by a regulator can be disruptive and bothersome, but the strategic dialogue driven by these interactions is a positive and important outcome. To the degree that third party risk management programs essentially place banks into the role of “regulator” of their vendors, there’s an opportunity to not only specify and assess controls, but also inspire a strategic and operationally robust approach to risk management.

    Sean Cronin, VP, General Manager for Risk Suite business, ProcessUnity is responsible for leading all aspects of ProcessUnity’s Risk Suite line of business including strategy, marketing, sales, client services, and strategic partnerships. He brings over 12 years of Governance, Risk and Compliance (GRC) experience to the company. Sean graduated from the United States Naval Academy, serving for 7 years as an officer in the US Navy, and earned his MBA from the University of Rhode Island.

    Reposted with permission from ProcessUnity. Originally posted in Information Week’s “Bank Systems & Technology” blog.

    Dear Member of the Board...

    02-24-2015

    Whether you’re a board member of a retailer like Starbucks or sitting on a large financial services board like JPMorgan Chase, I’ll bet you’re pleased at this point that you said no to SONY boar[...]

    Whether you’re a board member of a retailer like Starbucks or sitting on a large financial services board like JPMorgan Chase, I’ll bet you’re pleased at this point that you said no to SONY board membership. Though Enron is now nearly 13 years behind us, you may recall the U.S. Senate subcommittee finding that ultimately led to the passage of the Sarbanes-Oxley (SOx) Act in 2002, that “the Enron Board of Directors failed to safeguard Enron shareholders and contributed to the collapse of the seventh largest public company in the United States, by allowing Enron to engage in high risk accounting, inappropriate conflict of interest transactions, extensive off-the-books activities, and excessive executive compensation.” SOx better delineated the board’s oversight role where financial accuracy is concerned, called for board level audit committees made up of outside (independent) directors, required attestation on internal controls, and emphasized that directors on boards are responsible for direct supervision of the company. At another level, it established independent oversight of public company audits, via the PCAOB (Public Company Accounting Oversight Board), fondly referred to as “peek-a-boo” to the profession, which had for the prior 100 years engaged in self-regulation. Over 2,000 firms from over 80 countries are registered with PCAOB today.

    As financial losses mount from mismanaged vendors, gaps in internal controls and service outages from natural disasters or from cyber-attacks on publically traded entities, many boards have paid more attention and modified selection criteria for its members. No longer are boards simply cheerleaders for the CEO. Technology has become more critical to high-speed digital transactions, so companies have sought out directors with IT chops, just like they have recruited independent experts to sit on their audit committees. But rarely do companies require significant continuing education for board members, especially on esoteric topics like strategic risk, high speed trading, privacy, business continuity or cyber-threats. So it’s entirely possible that a board member could read about the Target breach or the more recent SONY hack, ask a few questions and be reassured that it could not happen here.
    If you’re not already a member of (for example) the U.S. National Association of Corporate Directors (NACD), then how do you learn and what should you be looking for?

    Overconfidence from the C-Suite. The belief that “it can’t happen here” needs to be proved out to the board. If in fact, the board is not receiving threat or gap analyses directly from the Chief Information Security Officer and the Chief Internal Auditor on a quarterly basis, you should ask why not and raise the bar. For each explanation you receive from the executive team, you should ask how clearly the company’s program is explained in terms of importance and relevance, to employees and customers, in a show of “tone at the top.”

    Vague or inaccurate responses to questions. Don’t let executives “dumb down” explanations. Read widely in the company’s lines of business, and then be sure you get real answers to your questions. It is possible for executives to prepare briefing papers in clear English even though the material may be technical. In each case, the questions of risk and impact to revenues and reputation should be dealt with in addition to the costs being discussed.

    Issues not on the radar. Sometimes the CEO and CFO do not have a clue as to what could be going wrong on the operational side. I’m looking closely at this issue in the book I’m working on right now. At each level of the company, analyses can get simplified in the name of “executive presentation” to the point that the CEO/CFO believes that the risk level is being managed, or is manageable. In such instances, it is not that the C-suite is trying to conceal information from the board, which is why one of your primary responsibilities as a board member is to ask questions based on information you’ve received from other sources or events experienced by other companies. A prime example here is General Motors, where damaging information and costs were concealed for years. Bad news or an unfavorable review of a new product/service always carries the potential for reduced support or loss of position, which is why no one likes to let his/her manager know when sometime goes quite wrong. Asking questions is the best way to be sure that the board has all the information from a detailed briefing before making a decision.

    Finally, look for the outliers. When you join a board, one of your first requests should be for the regulatory and audit reports over the past few years so that you can see where the gaps in controls are and to monitor what is being done to close the gaps. Are there consistent patterns, such as mishandling of vendors or of confidential information? Is the technology up to date and redundant? What does the level of turnover look like at both the senior management and the executive level?

    Well-informed board members bring us one step closer to corporate stability.

    Annie Searle, Principal of ASA, helps companies build world-class risk programs. An internationally known expert in operational risk management, with extensive experience in the financial, IT and business sectors, Searle thrives on complex challenges.

    Originally posted in the January 2015 issue of the Risk Universe magazine.

    Rightsizing Tiered Approaches ...

    02-20-2015

    Last week was an active week of discussion on issues facing financial services companies. I presented at the 40th annual Roundtable for ISACA’s MN Chapter on The Next Generation of Third-Party Risk [...]

    Last week was an active week of discussion on issues facing financial services companies. I presented at the 40th annual Roundtable for ISACA’s MN Chapter on The Next Generation of Third-Party Risk Management and attended Deluxe Exchange 2015, where an engaging keynote speech by Sheila Bair, former chair of the FDIC highlighted critical issues facing financial reform and financial stability of our industry.

    The dialog with information security auditors and third-party risk professional reflected the current state of protecting data today. Professionals were feeling knocked out, just hanging in and feeling challenged to surmount the growing challenges of revamping third-party risk management programs in light of the growing cyber security risks. Many events have changed our technology point of view in the last twelve months from vulnerabilities with funny names, the wake-up call of the C-Suite, and the pace of social media coverage. Breaches have gone from intrusion to disruption in changing our perspective.

    In looking at the area of regulatory compliance post Dodd-Frank, the financial implications between large and small institutions is disparate as smaller banking organizations struggle to meet the same requirements without the people, technology, or manpower to address all the administrative and financial requirements. The capital debates caused by regulations like Basel II and the Volcker Rule are driving a dialog in our nation’s capital to start a discussion about the need for a two-tiered approach to regulatory compliance that better aligns governance with the products, service, and scale of the financial institution.

    While these events were very different in focus on topic – it gave me a chance to have one-on-one discussions with thought leaders and practitioners in risk and compliance, and I was struck by the commonalities of the challenge and approaches to navigating successfully, with a simple message. It’s all about rightsizing.

    Everywhere in our life we are being shown the value of rightsizing – even the government is providing us advice on our eating habits with the new food plate, stating portion size is the key to weight loss. Reflections on the root causes of the mortgage crisis that led to the financial crisis had implications for homeowners who were buying homes outside their financial ability or budget appetite – they did not rightsize and many mortgage lenders allowed that gap due to economic incentives. We say we need to understand the culture of our risk appetite in implementing risk management programs – it’s all about rightsizing.

    Using a rightsize viewpoint to common risk and compliance challenges:

    Information Security Audits
    The heightened attention in the past year on breaches has led to an increased focus on systems and network monitoring. Detecting abnormalities in log retention and review is not just a post incident activity, but it should require analysis to detect unusual transactions or behavior of employees with broad access.A risk based approach would focus on those areas that could access volumes of data, not just one transaction at a time.

    During third-party reviews, it is important to review how a third party manages security policy exceptions, but also the nature and risk of the exception. Materiality is critical to rightsizing the level of oversight and approvals required.

    Critical Suppliers
    The OCC guidance takes a “rightsize” approach – while the guidance did expand the definition of a third party, and created heightened expectations for risk and regulatory/operational risk oversight, it did not mandate the same level of oversight to all vendors.

    Organizations need to tier or classify their third-party relationships by criticality – which can be interpreted as reliance, or by risk. In either, the classification approach is creating a tiered structure that applies more rigorous audits to the highest risk vendors. Small services, or lower risk still require contractual protection, but the level and frequency of due diligence can be right sized to the service the third party is providing.

    Complaint Management
    Consumer protection and UDAAP enforcement require financial institutions to monitor and address customer complaints.

    Complaints can be an early indicator of potential problems in how financial products or services were sold. However, complaints are not alike. Bottom line, most consumers don’t like fees of any kind but it is important to put complaint management analysis into tiers to identify the common themes. Monitoring credit or refund requests and complaint to sales ratios can help an organization weigh or quantify which complaints may need further inspection into marketing practices. The rightsized approach focuses the attention on the complaint trends that could be an early indicator of customer confusion or misunderstandings of fee structures.

    Overdraft Protection
    Even in the area of overdraft protection can we see a rightsized approach. High volume users of overdraft may be using overdraft more as a payday lending solution. Proportionality of the overdraft fee to the dollar value of the overdraft is also a rightsized approach. Monitoring the volume and number of overdrafts per year can allow an organization to establish a tiered structure for users and that information can be leveraged to identify the “right” financial products and services to meet their budget needs.

    While Dodd-Frank “supersized” risk and compliance obligations, the pendulum has swung far in terms of restructuring of the financial services regulatory structure. I think the debate now will be on how to identify the mechanisms to tier or stratify levels of risk management and governance based on the size of the institution and the size of the risk. Sometimes, simple answers are the best to challenging or complex problems. We can’t eliminate risk, we need to mitigate it, but we don’t want to over engineer compliance and stifle innovation.

    My new mantra for 2015 is: Let’s rightsize it.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Cybersecurity: The 2015 Buzzwo...

    02-17-2015

    Cybersecurity is the hot topic du jour. According to IBM’s 2014 Cyber Security Intelligence Index, there were 1.5 million monitored cyber attacks in the United States, and WIRED.com cites nation-sta[...]

    Cybersecurity is the hot topic du jour. According to IBM’s 2014 Cyber Security Intelligence Index, there were 1.5 million monitored cyber attacks in the United States, and WIRED.com cites nation-state attacks, extortion, data destruction, and third party breaches among the biggest security threats for 2015.

    Regulators are taking notice, with recommendations and guidelines to help financial institutions and other organizations wage war on these ever-growing threats. Shared Assessments remains at the forefront of educating third party risk professionals on the latest risks, and best practices to meet these threats and adhere to regulations. Our collective community of industry thought leaders keeps us relevant and up-to-date, working collaboratively to develop tested strategies, approaches, best practices, and our newly updated and released Shared Assessments Program Tools.

    Last February, NIST released its Cybersecurity Framework, a set of voluntary cybersecurity standards that has gained widespread acceptance cross industry. The Shared Assessments Program Steering Committee recognized the framework as a solid foundation for creating and implementing a cybersecurity program. Each of our Development Committees, which are tasked with ensuring the Tools meet industry regulations, guidelines and standards, performed a gap analysis of our Program Tools against the NIST Cybersecurity Framework to confirm alignment. The Shared Assessments Program Tools—specifically the Vendor Risk Management Maturity Model (VRMMM)—help risk professionals implement the standards mentioned in the framework. The gap analysis validated that the Shared Assessments Program is in alignment with the Framework.

    Cybersecurity in Banking
    On the financial front, the Federal Financial Institutions Examination Council (FFIEC) examined the cyber risks of 500 banks. In a recent American Banker’s webinar, Bank Cybersecurity and Regulatory Imperatives, Amy McHugh, senior associate, IT Consulting, Clifton Larson Allen, LLP, shared the FFIEC’s findings and recommendations to banks to address cyber threats in 2015:

    • Better identify and mitigate cyber attacks
    • Better identify and understand vulnerabilities
    • Understand and become more knowledgeable of inherent risks
    • Incorporate more efficient cybersecurity controls, namely patching and intrusion prevention and detection systems
    • Establish formal audit programs
    • Improve cyber incident management and resilience with a formal incident response program and board reporting

    The FFIEC recommendations are also in alignment with Shared Assessments 2015 initiatives and Tools. The Shared Assessments Program Tools include the latest Incident Management and Business Continuity sections as well as the up-to-date international, federal, and industry standards including ISO-27001/27002, PCI DSS, HIPAA/HITECH, Office of the Comptroller of the Currency (OCC), COBIT, NIST, and FFIEC guidance.

    The Importance of Peer Groups and Third Party Relationship Management
    The FFIEC also encourages banks to join peer groups in order to share cybersecurity strategies and best practices. Cybersecurity is not the only concern for banks, however; 46 percent of the banks attending the webinar said that third party relationships are their greatest concern. Peer groups also provide a forum for banking and other professionals to share best practices for managing third party relationships. Shared Assessments, for instance, offers peer group collaboration and participation, educational opportunities, and the Program Tools to assist financial organizations in developing a well-structured third party risk assurance program.

    From Risk Management to Risk Assurance
    The Shared Assessments Program uses the NIST Cybersecurity Framework, FFIEC recommendations, and other industry/regulatory guidance to ensure its Program Tools and resources remain relevant to its members and meets their risk management needs. In addition, the Shared Assessments Program will continue to offer members opportunities to network with their peers, and collaborate on best practices for managing cyber, third party, and other types of risk. The Program Tools and peer collaboration empower organizations to move from risk management to risk assurance, even in the face of cyber attacks, third party vulnerabilities, and other threats.

    Angela Dogan is Senior Project Manager for the Shared Assessments Program, focusing on enhancements to the Program’s Tools by the Development Committee and Special Interest Groups, and the development of briefing papers on vendor risk management best practices.

    Why Handshakes Are Not Enough ...

    02-12-2015

    The days of doing business with a handshake and a smile are long gone. However, one thing continues to remain constant—how few vendor contracts are updated, even if the scope of service changes. Thi[...]

    The days of doing business with a handshake and a smile are long gone. However, one thing continues to remain constant—how few vendor contracts are updated, even if the scope of service changes. This can be detrimental to an organization, particularly if the vendor is handling sensitive data such as personally identifiable information (PII), protected health information (PHI), cardholder data (CHD), or confidential, intellectual property and strategic data (also known as CIPS).

    Periodically reviewing—and appropriately updating—master services agreements ensures both parties are aware of the processes, data elements and where the data processing is being performed. In other words; contracts must be continuously reviewed and revised as scopes of work change. The best way (or at least, the cleanest way) to update the master services agreement is via addendums that are signed and dated by both parties.

    Effective vendor risk management is in managing the details. A key consideration in developing a durable vendor contract also means identifying the success criteria for the vendor and includes:

    • The business unit’s requirements for the vendor
    • The technical requirements involved (e.g., data elements, IT components, connectivity)
    • The vendor’s requirements for the customer

    To ensure that all expectations (performance, compliance, regulatory, etc.) are met—and no one is blindsided—it is important for the organization to identify early and manage the following key vendor risk operational points:

    • Coordination between sourcing and vendor management
    • Vendor risk classification
    • The monitoring of vendor performance
    • Effective use of assessment results
    • Responding to and managing vendor performance issues

    But what do you do if the vendor is not living up to the agreed-upon expectations documented in the contract?

    An exit strategy is a must when a vendor does not meet its contractual expectations. It is a prudent step for the organization to ensure that a backup plan exists to either redirect the work to an already existing vendor used by the organization or to find a new vendor (one that most likely went through the previous request for proposal [RFP] process).

    In my upcoming session (#145—“Contracting for the Full Vendor Lifecycle”) at ISACA’s 2015 North America CACS taking place 16-18 March 2015 in Orlando, FL, I will discuss these and other challenges during the contract phase of the third-party relationship. Hope to see you there!

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Originally posted on ISACA Now blog.

    The Critical Need for Third-Pa...

    yadzinski 02-10-2015

    The need for businesses to develop, implement and expand risk based strategies across their supply chains has never been more critical. Widespread environmental disasters, political turmoil, social un[...]

    The need for businesses to develop, implement and expand risk based strategies across their supply chains has never been more critical. Widespread environmental disasters, political turmoil, social unrest and the plethora of recent information security blunders have ever-increasing potential to cripple – even destroy – otherwise healthy businesses. This is especially true for companies that rely on just-in-time (JIT) and outsourced services such as Cloud Computing that improve their bottom lines by reducing IT operational costs.

    The fact that an alarming number of companies are well aware of the need to take action and are choosing to wait until it is too late, requires a closer look at the issues surrounding risk management and how it can help companies; navigate the increasing complexity of global supply chains; gain visibility into their suppliers’ management processes, and protect their businesses from a growing number of threats.

    Supply chain transparency is essential for any business management process to be successful. The more committed companies are to thwarting potential business disruptions in the supply chain, the more robust and effective their responses are likely to be in the event of an incident of any type.

    Top Concerns
    According to an APQC survey, the top potential threats to supply chains differ from industry to industry, but a majority of business leaders report that they are concerned about:

    • High-impact natural disasters – floods, earthquakes, tsunamis
    • Extreme weather – hurricanes, tornadoes, severe snowstorms, heat waves
    • Political turmoil – large protests, regime changes, war zones
    • Unplanned IT and telecommunication outages
    • Data breaches
    • Cyber attacks

    While these six categories are perhaps the easiest to grasp, the list of serious potential threats that organizations are concerned about is much longer as indicated in BCI’s 2014 Horizon Scan Report. Concerns that are just as ominous as the top six include labor strikes, financial instability/insolvency, loopholes in logistics contracts, utility supply interruptions, shortages of materials, mergers and changes in regulations and ethical misconduct to name just a few.

    There is a growing concern about the continued increase in higher business environment volatility that continually makes the task of managing global supply chains tougher every day. Changes over the last few years in the social, political, technology, environment, and economic domains around the world, suggest that the business landscape and paradigm of supply-chain management has transformed permanently.

    Outsourcing the supply chain and developing partnerships is now much more than just subcontracting or logistics management. These third parties’ are very likely to have different approaches to risk and varying policies on risk acceptance and mitigation. Assessing third parties and associated risks is fast becoming a critical part of doing business. Assessing suppliers with tools such as the Shared Assessments Program Standard Information Gathering (SIG) questionnaire along with objective evidence of certification, or compliance, based on international standards; and updating that data on a regular basis, are quickly becoming the initial screening process that is essential for choosing suppliers and maintaining a level of confidence and transparency.

    While contracts will continue to remain an important part of ensuring that suppliers meet their service level agreements, it is important to remember that while such contracts assume stability, they are not a guarantee of stability. ((Pidgen, S. 2013)). Hurricanes, supply chains and continuity. ) Depending on the crisis that causes a business disruption, penalties built into contracts with Tier 1 or Tier 2 suppliers are likely to fall well short of covering the significant financial losses endured by end customers.

    John DiMaria is a BSI Certification Portfolio Expert and Member of the Shared Assessments Steering Committee with over 30 years of successful experience in Management Systems and international standards. Connect with John on LinkedIn

    Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.

    Data Breach: Threats, Plan, Re...

    02-09-2015

    Recently, I had the opportunity to co-present with John Sileo, from www.sileo.com at the 42nd annual seminar of the RIMS Society Minnesota chapter. John kicked off the event with a keynote titled “D[...]

    Recently, I had the opportunity to co-present with John Sileo, from www.sileo.com at the 42nd annual seminar of the RIMS Society Minnesota chapter. John kicked off the event with a keynote titled “Data Spies, Hackers, and Online Attackers” which was a great foundation to our session on Cyber Security Fraud. While the audience was a sea of risk management professionals, with insurance acumen, from brokers, to insurance carriers, the dialog was all a reflection of the collective data breach experiences of the past 12 months.

    Our interactive breakout session focused on a dialog regarding cybersecurity threats, spikes and scares in identity theft, and the overall theme of the event focused on how organizations and people are changing their approach to cybersecurity simulation planning, and overall maturity of breach readiness.

    We started the sessions with three questions for the audience:

      1. Has your organization adjusted its approach to breach simulations due to 2014 breaches?
      2. Have you been able to leverage their mistakes?

      3. Is data breach readiness led by IT or business lines?

    There was vast recognition that data breaches are keeping the CEO up at night, but for the risk insurance professionals, they wanted more information on how to quantify and measure the risk – both magnitude and likelihood. When asked 2/3rds of the attendees acknowledged that they had one of their debit or credit cards replaced in the last 12 months; and roughly 1/3rd indicated that multiple cards had been affected. Here were some of the startling facts from the 2014 Javelin ID Fraud Report:

    • 33% of data breach victims become victims of ID Fraud
    • The # of ID Fraud victims has increased to 13.1 million
    • Fraud costs have decreased to $18 Billion

    No the math wizards and actuarial wondered if that was new math, but the trends suggest that either having an effect at the consumer level, but not the small business level, or we have not yet seen the full effects of the breach. In fact the potential for latency is high as the fraudsters and hacktivists may get more creative with how they leverage the compromised data. While breach reports are reaching record levels, we can expect a surge in the adoption of cyber insurance. Data breach costs jumped 23% in 2014, but many of the costs have not been seen if future usage creates more fraud or identity theft.

    The sources of a potential data breach can come from very disparate types of exposures from malicious insiders, negligent insiders, criminal hackers, hacktivists, and a cloud or third party compromise. The type of data being stolen and the reason behind it was a wake-up call after the Sony breach. Sony’s example brought to light that cyber security readiness is not just about stealing credit cards. The theft of misuse, blackmail, stealing corporate intellectual property and even creating fake identities has reached new levels.

    Synthetics ID Fraud
    Identify fraud – especially identifies that contain portions or real personally identifiable information, can more easily be used to set up synthetic identities. When using a synthetic identity, the fraudster may take more time to establish accounts, increase credit levels then “take the money and run” for a much higher eventual fraud financial loss. Post the data breaches of 2014, a new type of synthetic ID fraud is emerging. Fraudsters take pieces of stolen identity from multiple sources and sell these new identities on the black market. It takes time to perpetuate these frauds, so consumers need to be vigilant in protecting and monitoring their accounts. Key best practices include putting credit freezes on your accounts and establishing account alerts for changes to your financial accounts. In doing some further research, I learned some new scary factoids on synthetics ID Fraud:

    • Synthetics identity fraud makes up 88.3% of all identity fraud and 73.8% of total dollars lost by U.S. businesses based on research completed by ID Analytics.
    • According to the FTC, synthetic identity theft account for nearly 85% of the more than 16 million ID Theft in the U.S. each year

    Synthetic identities can look very real, and make it more difficult for bank’s internal fraud model to identity suspicious patterns of activities. Fraud models will need to evolve and be enhanced to stay one step ahead of the more creative fraudsters.

    Bottom line, the lessons learned is that breach readiness and identity theft prevention is not just about IT Security. Organizations need to communicate all levels from the C-Suite to the front line employee. Breach readiness is like war games for risk and compliance professionals, and to practice for the “big one” before it’s a Real One.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    The Board’s Role in Mana...

    02-05-2015

    Catherine A. Allen, Chairman and CEO, The Santa Fe Group, sat down with Erica Salmon Byrne, NYSE This Week in the Boardroom, to discuss the impact third parties can have on overall organizational bra[...]

    Catherine A. Allen, Chairman and CEO, The Santa Fe Group, sat down with Erica Salmon Byrne, NYSE This Week in the Boardroom, to discuss the impact third parties can have on overall organizational brand and reputation. In addition, Catherine discussed the board’s role in third-party risk assessment.

    Happy New Year EMV...

    01-30-2015

    2014, on balance, was a very good year for progress in securing electronic retail payment transactions. Most importantly, many of the key payments stakeholders seemed to coalesce around the general un[...]

    2014, on balance, was a very good year for progress in securing electronic retail payment transactions. Most importantly, many of the key payments stakeholders seemed to coalesce around the general understanding that three basic tools, EMV chip cards, payment tokenization, and end-to-end encryption were all essential to make real progress toward next generation payments security. In October bank customers with the iPhone 6 and 6 plus were introduced to Apple Pay, a first of its kind application that combined secure element, phone based biometric customer payment authorization with payment tokens, keeping traditional 16 digit payment account numbers away from prying eyes. Also in October, President Obama announced that all federal government procurement and DirectExpress benefit cards ((Direct Express cards are used to distribute social security, SSI, veteran’s, and other benefits. Three banks will participate in the governments “Smart Pay” program: Citibank, J P Morgan Chase and Co., and U.S. Bank)) would be migrating to full chip and PIN functionality, a process that will be begin this month. And – importantly – some of the largest issues announced their intention to issue (and some did issue) chip and PIN capable cards to their retail customers in the United States, hinting that another milestone might be passed.

    Although it’s only January, we’ve already been reminded that progress toward optimizing the security of our payments environment is not always linear. Earlier in the month, J P Morgan Chase and Co confirmed that despite a CEO level announcement to the contrary in February 2014 it has elected not to issue chip and PIN credit cards to its retail customers, instead opting to continue the pure chip and signature approach the bank has followed for several years. That decision moves the bank away from a place where it could influence the direction of other issuers toward an outcome that would better protect payment security for cardholders. Virtually all of the large issuers in the United States have backed the chip and signature approach to cardholder verification.

    Not all chip and signature cards are created equally however, and it’s important to note that not every U.S. bank issued chip and signature credit card is completely devoid of PIN authentication capability at the point of sale. Most Wells Fargo EMV equipped credit cards, for example, have online PIN POS capability, where the PIN is returned to the issuer for verification in real time. With online PIN, bank customers in certain circumstances will be able to complete a transaction using a PIN when a terminal asks for it. As Wells Fargo says:

    “For most transactions you’ll finish with a signature, just like you do today, but you may sometimes need your PIN, especially outside the US” ((See Wells web site, https://www.wellsfargo.com/credit-cards/features/chip-card/chip-cards-demo))

    Online PIN functionality will help with some, but not all, transactions in Europe and elsewhere where unattended terminals and poorly informed check-out clerks effectively demand chip and PIN capability. That’s because in many parts of the world POS terminals do not communicate with issuer hosts in real time. Instead, offline POS terminals store transactions for a designated period of time and then, in batch mode, forward them for processing. In parts of the world where land line telephone access was historically expensive, online POS terminals were the exception, not the rule. To enable cardholder

    U.S. issuers can enable online Chip and PIN capability with far less effort than what would be required for offline PIN (they do for debit cards today), and online PIN is logistically easier and less expensive to maintain over time. The United States has an overwhelmingly online POS environment. And many large merchants are forcibly on record as favoring a chip and PIN EMV implementation. Those merchants recognize that PIN based chip transactions significantly reduce both lost and stolen and Never Received Issue (NRI) related fraud losses.

    EMV PIN Considerations

    For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

    In 2015, Don’t Just Make New...

    01-29-2015

    Start 2015 on the right foot including your third party risk management program. Here are some suggested “New Year’s Resolutions” to incorporate into your strategic and tactical plans for the co[...]

    Start 2015 on the right foot including your third party risk management program. Here are some suggested “New Year’s Resolutions” to incorporate into your strategic and tactical plans for the coming year:

    Resolution #1: I will incorporate the new SIG 2015 into my third party program.

    The new Standardized Information Gathering (SIG) questionnaire, has been further aligned with current industry standards, frameworks, and regulations as the Program Tool has been aligned and updated with ISO 27001/2:2013, PCI DSS v3.0, OCC-2013-29, and the NIST Cybersecurity Framework, in addition to the addition of a new software application security tab. As pressures increase with ever more regulatory and internal compliance scrutiny, adopting a methodology that continuously updates to meet new standards, guidance and risk areas, such as the SIG, can be an important component of your assessment program.

    Resolution #2: I will perform at least one onsite assessment of a third party service provider.
    It’s interesting to note that I still receive questions as to when an organization should execute the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures for of the Shared Assessments Program. An Onsite Assessment should be performed when a third party service provider is deemed critical or valuable to an organization’s key processes and strategy. Further conversations with some members of the Shared Assessments Program, Shared Assessments Program Tool purchasers, and those simply inquiring revealed that many companies still tend not to perform such analysis (or even prioritize) the vendors in their portfolio into those who should truly be assessed onsite. This is troublesome, as organizations may be relying on less reliable measures, such as published SOC3 reports, or assuming controls exist based on industry stature (“they are well respected in the industry”). Regardless, you need the full picture as to how the TPSP is performing, which means an assessor really should appear onsite to see these operations in action! Though there are certainly some steps in the AUP that can be performed either remotely by web conferencing, the human interaction that comes out truly from an onsite inspection is the best way to go.

    Resolution #3: I will have my staff certified as Certified Third Party Risk Professionals (CTPRP).
    This newly launched certification by the Shared Assessments Program ensures third party assessors truly have the skills and knowledge to effectively assess third party risk. Why? Because our CTPRP workshops cover the entire gamut of the third party lifecycle – from the RFP and contract phase through reassessment and termination. Additionally, discussions on regulations that affect third party risk are thoroughly discussed. The CTPRP Workshops also provides actual third party scenarios, so those in attendance gain a real-life understanding of what can happen (and what has happened) during the vendor risk management lifecycle.

    Resolution #4: I will make myself more aware of what’s going on with respect to third party risk.
    Being apart of the Shared Assessments community is the best place to start! Shared Assessments members have the ability to participate on our monthly Member Forum call, to hear presentations from industry experts on key trends and issues , to participate in our committees and awareness groups to help shape and refine the Shared Assessments Program Tools (and earn CPE’s while doing so). The Shared Assessments community also holds the ability to post timely blogs on Authorities on Risk Assurance, contribute to newsletters and white papers, project documents and case studies. We understand the potential value these deliverables can have, and their directly impact on you, your organization, and your third party service providers.

    Resolution #5: I will develop/improve my relationship with our business management and procurement folks.
    If you don’t do this on a regular basis then make this the year you reach out and partner with your business management and procurement groups. The landscapes are ever-changing… new regulations, changes to industry standards, and data breaches can all impact TPSP’s and may even require you to consider changing these providers. Be sure to share risks openly so they aren’t blindsided if and when something does not go according to plan.

    By keeping these resolutions you can be assured that your 2015 will be off on the right foot and lead to something to celebrate at the end of the year.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    How to Manage New Risks; Learn...

    01-26-2015

    Now in its eighth year, the Annual Shared Assessments Summit brings together senior executives who will share best practices and the latest insights on managing third party risk. The theme of the 2015[...]

    Now in its eighth year, the Annual Shared Assessments Summit brings together senior executives who will share best practices and the latest insights on managing third party risk. The theme of the 2015 Summit will be Third Party Risk Assurance: Everything Old is New Again. Click here to register.

    Over the last 18 months, organizations have had to keep an eye on the ever-changing environment—changes to regulations, standards, and technologies. While these changes impact our environment, the focus remains the same: a risk-based approach to managing third (and fourth) party vulnerabilities.

    We know that vendor risk assessment is more than asking questions and resolving issues. It’s about identifying hidden and new risks, and adjusting how to manage them. The 2015 Shared Assessments Summit sessions will focus on helping organizations to stay abreast of the ever-changing risk environment and to evolve to meet these new challenges, while still maintaining a holistic risk-based approach.

    Key Topics Include:

    • Incident response and monitoring—what satisfies regulators
    • The impact of cyber security and application software security on third party risk management
    • Vendor risk management—keeping our eyes on what matters most
    • The shift of risk management from the IT department to the boardroom
    • The changing payments landscape: the impact of rapid technology changes on risk monitoring and mitigation
    • How demographics affect your risk exposure
    • The movement toward collaborative third party onsite assessments and how your organization can participate

    Conference Details: Five Days of Activities Taking Place the Week of April 27

    Dates:

    • Pre-Conference Workshops: April 27-28, 2015
    • 2015 Shared Assessments Summit: April 29-30, 2015
    • Certified Third Party Risk Professional (CTPRP) Workshop and Exam: April 30-May 1, 2015. The Certified Third Party Risk Professional (CTPRP) designation is a new certification program that validates proficiencies in third party risk management concepts and principles. To register or to learn more about the Shared Assessments CTPRP program visit https://sharedassessments.org/certified-third-party-risk-professional-ctprp/.

    Location: Four Seasons Hotel – Baltimore, Maryland

    To learn more about the 2015 Shared Assessments Summit and to register, visit https://sharedassessments.org/shared-assessments-summit-2015/.

    *****

    Make Your Brand Known. Be a Sponsor or Exhibitor
    The Shared Assessments Summit is the premier event for all stakeholders in the vendor risk assessment process from a range of industries including financial services, healthcare, telecommunications, energy and higher education. As an exhibitor or sponsor, you’ll gain visibility for your company, prestige, networking opportunities, and complimentary attendance at the conference. Learn more about sponsorship opportunities.

    Updated Shared Assessments Pro...

    01-22-2015

    The industry is in a state of high alert concerning third party risk in 2015. In fact, Booz Allen Hamilton moved third party risk to the top of the list of cyber security trends for financial services[...]

    The industry is in a state of high alert concerning third party risk in 2015. In fact, Booz Allen Hamilton moved third party risk to the top of the list of cyber security trends for financial services to “guard against” this coming year. WIRED.com also cited third party breaches as one of the six biggest security threats of 2015.

    Steve Durbin, managing director of the Information Security Forum, named third party threats as one of five dominant information security trends in 2015. “Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability,” Durbin told CIO magazine. “Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations.”

    Because of these threats, doing business in an outsourced economy requires organizations to implement robust, tested strategies and processes, with tools to evaluate vendor risk and manage the security of sensitive data that is accessed or used by third parties. Newly updated for 2015, the Shared Assessments Program Tools—the Standardized Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, and the Vendor Risk Management Maturity Model (VRMMM)—help companies ensure their vendors’ data management security controls and practices are rigorously tested and are in line with data security practices and standards. These Tools allow risk professionals to rigorously assess and manage third party controls to evaluate IT, privacy, and data security risks, including software application security, Cloud, mobile, and fourth parties.

    Collaborative Efficiencies in Today’s High Risk Environment
    Our Tools empower risk professionals to move from risk management to risk assurance. We know that our members are faced with complex oversight of third parties and look to the Shared Assessments collective community for innovative and tested approaches and best practices to create efficiencies and cost savings in vendor risk management. With these updates, the Shared Assessments Program Tools now offer greater assessment depth; can be leveraged by competent internal staff or independent assessment firms; and can be used internationally.

    Durbin applauds this type of strategic approach. “A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components,” he said. “This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise.”

    2015 Program Tools Meet the Needs of Risk Managers
    The Shared Assessments Program Tools are designed for risk management leaders to effectively manage the critical elements of the vendor risk management lifecycle. Together, the SIG and AUP offer a “trust, but verify” approach to conducting third party assessments. The Tools are based on international, federal, and industry standards in order to ensure sensitive outsourced data—such as personally identifiable information (PII) and protected health information (PHI), intellectual property, and financial information—is protected.

    The following updates are included in the 2015 release:

    • The Standardized Information Gathering (SIG) Questionnaire uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to SIG 2015 include alignment with OCC Guidance 2013-29; updates and consistency with the new ISO-27001/27002, and PCI DSS v.3.0; layering with the NIST Cybersecurity Framework, and updated questions to stay abreast with all current federal and industry regulations, standards, and guidance. Additionally, for organizations looking to become PCI or ISO compliant, the SIG 2015 provides users with the capability to perform self-assessments to help ensure the necessary requirements to become certified are met.
    • The Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. It provides objective and consistent procedures to evaluate key controls, reducing or eliminating the need for onsite assessments. For 2015, updates to the AUP include extensive sections on Cloud Security implementations and Software Application Security; tighter integration with the SIG, including the addition of Employees Agreements, and Business Insurance.
    • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the VRMMM include updates to align with the OCC-2013-29 guidance and improved scoring.

    Shared Assessment Tools Boost Confidence in Assessing Third Party Risk

    In a Deloitte Touche Tohmatsu Limited (DTTL)/Forbes Insights survey, “2014 Global Survey on Reputation Risk – Reputation@Risk,” organizations are “least confident dealing with risks assessed as ‘beyond their control’ which includes risks from third party/extended enterprise issues (47 percent of respondents).” The Shared Assessment Program Tools put that control in the hands of third party risk managers—which will be vital going forward.

    As Tom Garrubba, senior director, the Santa Fe Group and Shared Assessments Program, sums up, “The Shared Assessments Program will continue to help companies stay on top of emerging third party risk trends and regulatory requirements; and help foster internal and board-level conversations on the importance of managing third party risk.”

    To learn more about the 2015 Shared Assessments Program Tools, visit www.sharedassessments.org.

    Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.

    PRESS RELEASE: Updated for 201...

    01-20-2015

    PRESS RELEASE Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com Updated for 2015: Tools Designed to[...]

    PRESS RELEASE
    Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508,
    lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com

    Updated for 2015: Tools Designed to Manage Third Party Risk
    Shared Assessments Program Tools Empower Vendor Management Confidence

    Santa Fe, NM — January 14, 2015 — The recent flood of high-profile data breaches and an avalanche of new regulations are in the spotlight for 2015. Doing business in an outsourced economy requires organizations to implement robust, tested strategies and processes, with tools to evaluate vendor risk and manage the security of sensitive data that is accessed or used by third parties. Newly updated for 2015, the Shared Assessments Program Tools—the Standardized Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, and Vendor Risk Management Maturity Model (VRMMM)—help companies ensure their vendors’ data management security controls and practices are rigorously tested, and are in line with their data security practices and standards. These Tools allow risk professionals to rigorously assess and manage third party controls to evaluate IT, privacy, and data security risks, including software application security, Cloud, mobile, and fourth parties.

    The Shared Assessments Program Tools are designed for risk management leaders to effectively manage the critical elements of the vendor risk management lifecycle. Together, the SIG and AUP offer a “trust, but verify” approach to conducting third party assessments. Built by Shared Assessments members representing financial services, insurance, brokerage, healthcare, retail, and telecommunications, the Shared Assessments Program Tools are based on international, federal, and industry standards in order to ensure sensitive outsourced data—such as personally identifiable information (PII) and protected health information (PHI), intellectual property, and financial information—is protected. The standards include ISO-27001/27002, PCI DSS, HIPAA/HITECH, COBIT, NIST, Federal Reserve, Office of the Comptroller of the Currency OCC-2013-29, and FFIEC guidance.

    Collaborative Efficiencies in Today’s High Risk Environment
    “Our Tools empower risk professionals to move from risk management to risk assurance,” said Robin Slade, executive vice president and chief operating officer, The Santa Fe Group. “Our members are faced with complex oversight of third parties and look to the Shared Assessments collective community for innovative and tested approaches and best practices to create efficiencies and cost savings in vendor management. With these updates, the Shared Assessments Program Tools now offer greater assessment depth; can be leveraged by competent internal staff or independent assessment firms; and can be used internationally. Top-tier financial services organizations are now using our Program Tools to conduct collaborative onsite assessments with collective third party vendors creating an efficient, and robust methodology to significantly lower the costs for both organizations and their vendors.”

    2015 Program Tools Meet the Needs of Risk Managers

    The following updates are included in the 2015 release:

    • The Standardized Information Gathering (SIG) Questionnaire uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to SIG 2015 include alignment with OCC Guidance 2013-29; updates and consistency with the new ISO-27001/27002, and PCI DSS v.3.0; layering with the NIST Cybersecurity Framework, and updated questions to stay abreast with all current federal and industry regulations, standards, and guidance. Additionally, for organizations looking to become PCI or ISO compliant, the SIG 2015 provides users with the capability to perform self-assessments to help ensure the necessary requirements to become certified are met.
    • The Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. It provides objective and consistent procedures to evaluate key controls, reducing or eliminating the need for onsite assessments. For 2015, updates to the AUP include extensive sections on Cloud Security implementations and Software Application Security; tighter integration with the SIG, including the addition of Employees Agreements, and Business Insurance.
    • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the VRMMM include updates to align with the OCC-2013-29 guidance and improved scoring.

    Pricing and Availability
    The updated Program Tools are available now to all Shared Assessment Members and are included in the annual membership fee. Membership provides opportunities to deepen vendor risk management expertise through members-only meetings, events, teleconferences and regular cross-industry working groups that discuss best practices, new standards and guidelines, and the regulatory climate.
    Non-members can purchase the Shared Assessment Tools either as a bundle or separately by visiting ,a href=”https://sharedassessments.org/store/”>https://sharedassessments.org/store/.

    “Third party risk management is a priority for industry executives and as a result, the Shared Assessments Program will continue to be at the forefront of third party risk trends, helping companies stay on top of emerging risks and regulatory requirements,” said Tom Garrubba, MIS, CISA, CRISC, CIPT, CTPRP, senior director, the Santa Fe Group and Shared Assessments Program. “The education gained through participation in our Program will help foster internal and board-level conversations on the importance of managing third party risk.”

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at www.sharedassessments.org.

    ###

    The New Regulatory Corner Offi...

    01-06-2015

    2014 started with a key infographic on how and why “privacy” ended the year as the 2013 Word of the Year. From our collective experience, 2014 however will forever be known as the “Year of the D[...]

    2014 started with a key infographic on how and why “privacy” ended the year as the 2013 Word of the Year. From our collective experience, 2014 however will forever be known as the “Year of the Data Breach”. A recent infographic published by www.databreachtoday.com, highlighted the Top Breaches of 2014 comparing not only the number or records and people affected, but the nature of the breach – no brand was immune to cyber-worry. While vulnerabilities with funny names hit the headlines; I anticipate that 2015 will be known as the “Year of the Regulatory Office”

    With new compliance requirements coming from all directions from both federal and state viewpoints, it will be challenging to manage the compliance due dates and overall coordination of activities. With regulatory expectations for stronger management oversight of risk functions, including audit committees and boards of directors, there is an expectation that regulatory monitoring functions become as mature as your traditional information technology “program office” that manages the suite of IT projects each year.

    Regulatory compliance expectations can span multiple senior leadership functions, or officers within an organization. Creating a centralized regulatory management office is a concept that enables an organization to implement program management disciplines for managing the timelines and requirements from multiple compliance drivers. Creating efficiency in managing compliance can create synergies in helping educate senior management on compliance risk. Your key stakeholders who need to own the risk and compliance functions can better manage risk if they have additional resource on the blocking and tackling of regulatory project management. With centralized management of regulatory functions, tracking, and monitoring an organization can improve decision making within organizational silos

    While it may be challenging to justify the investment in the regulatory management corner office, there are some simple steps you can implement in 2015 to advance the concept. No matter what size of your organization, there are three things you can do to start your Compliance New Year’s Resolutions for improved regulatory management functions that are attainable:

    • Review and update your regulatory monitoring, governance committee structures: Identify where you may have overlap in key controls, and review participants to find synergies that are efficient. Leverage a checklist or inventory so that shows which governance committees are managing compliance risk for specific regulatory obligations.
    • Strengthen management reporting for governance, risk and compliance functions to address expanded regulatory expectations: Update and review your calendar of compliance updates to all levels of management – top down and bottom up. Identify commonalities in reporting functions across your compliance programs to avoid duplication in reporting. Review the frequency of updates to different audiences and identify ways to simplify the message with enhanced dashboards, benchmarks, and scorecards.
    • Implement a Regulatory Management Program Office concept to manage concurrent regulatory risk assessment, action plans, and assurance initiatives: Take a page out of the project management 101 playbook and apply those disciplines to your regulatory compliance functions. You can create a “virtual” Program Office by structuring common reporting, tracking and calendar activities – even if the day to day compliance tasks are handled in separate functional areas. Even simple tools like identifying a program owner to collect compliance milestones and key dates across all regulatory action plans, with a centralized monthly status conference call or webinar can improve the maturity of the regulatory management function.

    2015 is already kicking off with many top ten lists predicting an acceleration of regulatory change. Anticipated changes from the CFPB with payday loans, debt collection, overdraft protection, mortgage servicing, and disparate impact will require all financial institutions to review and adapt their existing regulatory management plans. Aggressiveness from the states in areas of breach notification and consumer protection will add to the checkerboard of compliance activities to monitor and track. Creating even a “virtual” regulatory compliance office is a starting point to build your business case for 2015 and beyond on how to navigate the Year of Compliance.

    The focus on regulatory compliance is not isolated to internal functions, but influences a financial institution’s strategy for monitoring and implementing oversight functions for third party risk. The Shared Assessments Program, which acts as a standards organization for managing third party risk is tackling the compliance topic of how to address regulatory compliance due diligence in third party relationships with an industry working group in 2015. I will be co-chairing this industry working group in 2015 to better understand the hot topics in regulatory compliance oversight, and what tools organizations may need to improve their overall management of operational risk and regulatory compliance risk functions.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Shared Assessments in 2014: A ...

    12-18-2014

    It has been an exciting time to participate in the Shared Assessments Program. Looking back at 2014, it has been a good, active year, with the rollout of our Certified Third Party Risk Professional (C[...]

    It has been an exciting time to participate in the Shared Assessments Program. Looking back at 2014, it has been a good, active year, with the rollout of our Certified Third Party Risk Professional (CTPRP) certification, our kick-off of the annual Vendor Risk Management Benchmark Study, the successful facilitation of financial services collaborative onsite assessments, and improvements to the Shared Assessments Program Tools. Let’s take a more detailed look at some of the highlights from 2014.

    The results of the first annual Shared Assessments 2014 Vendor Risk Management Benchmark Study, sponsored by Protiviti, showed that outsourcers are still struggling with third (and fourth) party oversight. Program governance, along with policies, standards, and procedures were notable areas in need of improvement. This, coupled with an avalanche of new regulations and standards, proved the need for more education and training. In response, Shared Assessments has launched the Certified Third Party Risk Professional(CTPRP) designation, a new certification program that validates proficiencies in third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and the fundamentals of third party risk assessment, monitoring and management.

    On the regulatory and standards front, Shared Assessments quickly and thoroughly responded to the unprecedented list of regulators and standards bodies that expanded the third party risk footprint for our members:

    Updated Tools to Meet the Needs of Our Members
    While we were confident that the issues outlined in the regulatory guidance and industry standards were already addressed by the Shared Assessments Program Tools, the Shared Assessments Development Committees performed specific mapping and gap analysis exercises to ensure that no holes existed in the risk controls covered by our Program Tools, which were all updated in 2014. Our next release of the Tools will be in January 2015. Until then, here’s a rundown of some of the key features:

    • In the Standardized Information Gathering (SIG) questionnaire, changes were made to ensure it’s relevant and consistent with the new ISO-27001/2 and PCI DSS v.3.0. For organizations looking to become PCI or ISO compliant, the 2015 SIG will have updated the ISO reference text column, providing members with the capability to perform a self-assessment to be sure the necessary requirements to become certified are met.
    • The Agreed Upon Procedures (AUP), the Standardized Testing Procedures of the Shared Assessments Program, now includes modifications to further align it with the SIG. Together, these Tools form a robust and rigorous standard for third party risk management. New sections including Software Application Security (including the type of software found on POS devices) and Cloud Security were added.
    • The Vendor Risk Management Maturity Model (VRMMM), which incorporates vendor risk management best practices into a usable model to assess the current and future state of a vendor risk management program, underwent modifications to address gaps identified between OCC guidance and the VRMMM.

    Perhaps the most exciting advancement for Shared Assessments this year was our effort to perform Collaborative Onsite Assessments for the financial services industry. We identified and piloted the process to allow multiple financial institutions to work together and collaboratively assess one of their third party vendors that provided the same services for all of the financial servicers participants. Two successful collaborative assessments were performed leveraging the Shared Assessments AUP as the common risk assessments vehicle to perform the assessment. In 2015, we will refine the process and execute efforts to broaden the adoption of this model, designed to further create efficiencies, and cost savings to all parties involved in the risk assessments process. Stay tuned!

    What’s on the Horizon for 2015
    2014 also brought some lowlights—several high-profile data breaches—which further spotlighted third party risk. We anticipate more of the same in 2015. In addition, the 2015 landscape is predicted to include organizations continuing to evolve to meet the existing, and likely, new regulations. To address this ever-changing landscape, the Shared Assessments Program 2015 agenda will include important topics such as:

    • The Board’s role in third party risk oversight: fostering board level conversation and education;
    • Best practices for third party risk management and assurance;
    • Regulatory compliance awareness, including due diligence and procurement related issues;
    • Continued refinement of the CTPRP certification to differentiate skills in the marketplace
    • The second annual Vendor Risk Management Benchmarking Study conducted with Shared Assessments Program member, Protiviti.

    Our eighth annual Shared Assessments Summit 2015, will be held April 29-30, 2015 in Baltimore, MD. The theme is: Third Party Risk Assurance: Everything Old is New Again. We will focus on the need for organizations to evolve to meet new risk challenges, while still maintaining a holistic risk-based approach to managing risk.

    Members can sign up for all of these important initiatives by completing our “request to participate.” More information about each activity and to sign up can be found here.

    We are also very excited about increasing our international focus as we further grow our Shared Assessments membership with organizations that have an international presence or are headquartered overseas. Our initiatives in this area include:

    • Continued focus on ISO mapping
    • International regulatory and privacy updates to the Program Tools
    • Exploring international opportunities to further showcase the organization as a leader in third party risk management
    • Expansion of the CTPRP program for educating third parties overseas
    • Increased international member participation in Shared Assessments activities and leadership

    We will keep a watchful eye on risks associated with new technologies, new or updated standards, and regulations, in order to ensure our Program Tools are updated accordingly. As evidenced, we are excited to welcome 2015 on such solid footing and are prepared to meet the various challenges presented to us by our members and to those seeking guidance in third party risk. It’s what our members expect from us as we continue to be the trusted source for third party risk management.

    Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.

    Top 5 Things Your Board and CE...

    12-15-2014

    As an executive manager or member of your company’s board of directors, third-party risk management should be top of mind. Here are five things you need to know: 1. Contracts are no longer enoug[...]

    As an executive manager or member of your company’s board of directors, third-party risk management should be top of mind.

    Here are five things you need to know:

    1. Contracts are no longer enough to protect the business.

    Contracts are incredibly important, however, they do not provide the visibility you need to reduce the risks associated with data breaches. Achieving proper visibility and monitoring your third-party vendor’s compliance with cyber security regulations and best practices is now a requirement of many regulatory and security guidelines, including PCI 3.0, OCC, HIPAA Omnibus, and the SEC.

    It is important to note that in order to meet these regulatory and data security requirements, your third-party vendor contracts should include language that expressly grants you the right to perform an assessment, as well as the authority to monitor your third-party vendors on an ongoing basis.

    2. A breach of your client’s or patient’s data at a third party is YOUR responsibility.

    The concept that outsourcing a business function effectively eliminates your responsibility for the security of your customer’s data is no longer an acceptable business practice. Due diligence with third-party vendors that have access to sensitive data is often seen as the only way to reduce your risk, understand areas for improvement, and show due care. Certain regulatory bodies automatically associate the lack of due care and due diligence with increased liability (and costs).

    3. Single, point-in-time assessment is no longer sufficient.

    Most third-party risk management programs begin as a compliance effort, with point-in-time assessments completed during or immediately after the contracting process. In many cases, this was the one and only time an assessment was performed. The pace of technological innovation is staggering. Organizations of all sizes are moving more data to the cloud and mobile applications. While this may increase efficiency and reduce costs, wouldn’t you want to know this happened at a service provider, prior to a breach notification? Performing on-going assessments and threat monitoring exercises is now required to better understand the constantly evolving risks posed to your data by third-party vendors.

    4. Third-party risk should be part of your cybersecurity plan.

    Third-party risk management is a security function as well as a compliance requirement. When you have a cybersecurity plan that only focuses on internal security, you risk missing 50% of the problem. Numerous studies have shown that third parties represent between 40% to 80% of the risks associated with data breaches. Ensuring broad cybersecurity coverage means understanding the risks posed by both your third-party providers and their providers (fourth parties).

    It is important to also note that understanding where your data is, both internally and externally, helps you to better isolate your risks and understand where you must focus your efforts.

    5. Your CISO (or equivalent) should report these risks directly to the board.

    You must take steps to ensure that you, your management team, and your board of directors are getting the information that is needed to make timely decisions, reduce the risk of a data breach, and protect your brand. One of the ways to achieve this is by aligning spending against security priorities that often take a back seat to other technology initiatives. This will also help to reduce the friction that exists between your executives when it comes to spending priorities.

    The reality is that a successful CISO who has reduced the security risks of a business may not look efficient on the surface. But dig deeper and you will see that they are helping save the company tens to hundreds of millions of dollars in lost revenue, fines and damage to your brand through the prevention of third-party data breaches. Speaking directly to your CISO will help you better understand the risks in order to make decisions and align spending.

    Remember that crisis situations often lead to snap decisions that can create more problems in the long run. Decide now, and prepare a plan for what you, your management team, and your board of directors will do to protect your business and reputation, should your business be hit with the unthinkable.

    Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., was the Shared Assessments Program Chair in 2014 and will serve as the 2015 Program Chair. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company

    Reposted with permission from Prevalent Blogs

    Heightened Expectations Raise ...

    12-12-2014

    The Office of the Comptroller of the Currency (OCC) published final guidelines that establish minimum standards for risk governance frameworks for OCC regulated institutions with over $50 billion in a[...]

    The Office of the Comptroller of the Currency (OCC) published final guidelines that establish minimum standards for risk governance frameworks for OCC regulated institutions with over $50 billion in assets. While that asset threshold would seem to specifically exclude most community banks, the OCC has reserved the right to apply the guidelines to other organizations if the OCC determines there is a heightened risk or highly complex state of operations.

    The guidance sets clear “tone at the top” requirements for active participation in risk management by regulated financial institution boards of directors. By labeling the requirements as guidelines vs. regulations the OCC provides some flexibility to apply risk management discretion if remediation plans are not meeting their expectations. Required compliance effective dates are staggered based on asset size, resulting in a cadence of implementation across financial institutions for the next eighteen months. Future enforcement actions by the OCC will provide insights to how they view the adequacy of an organization’s adoption of the guidelines.

    While media headlines continue to focus on cyber security risk, the published risk management guidance from either oversight of third parties or consumer protection, demonstrate the need to broaden risk management and controls to non-information technology areas of focus. Operational risk and regulatory compliance audits and assessments require formalized oversight mechanisms to demonstrate compliance.

    The implementation of the heightened expectations risk requirements will influence the risk and control activities across multiple compliance topics for the larger institutions. The resulting up-tick in the focus on overall governance may actually become a tipping point for even smaller organizations to apply the heightened expectations principals more as a best practice. The guidance is broken into three parts:

    • Part I – Scope & terms;
    • Part II – Minimum Standards;
    • Part III – Minimum Standards for Board of Directors’ Oversight.

    Regardless of the size of your financial institution, implementing sound risk management controls is good for your business. Risk management and control activities should be assessed and reviewed on a periodic basis as the risk environment changes. Here are three simple steps any organization can take to review their existing risk management program to reflect the current market landscape:

    1. Assess risk management structures within your organization

    Review your current regulatory inventory of the laws, rules, regulations, and standards that apply to your business. Create a checklist to identify your current risk management and control mechanisms to determine any new topic areas that need to be addressed. Assess your internal processes, oversight committees, working groups and update their charter, with clearly identified purpose, scope and roles/responsibilities for policy governance and oversight. Review the current skill sets and expertise at your Board of Directors to identify any gaps in risk management knowledge or experience. Build a timeline to show staffing levels for key assurance and audit functions to assess capacity and sufficiency of resources to manage oversight. Create operational risk talking points – the “elevator speech” to help executive management more effectively communicate and articulate how they are addressing risk and compliance in their functional areas. Create reminder training to business line leaders, and front line staff regarding their role in risk management and compliance.

    2. Update risk management reporting scope and frequency

    Management level risk reporting can no longer simply be a status update exercise. Assess your criteria for risk management status: Red, Yellow, Green status may need crisper definition or trigger points for escalation at a more frequent basis to demonstrate accountability. Review and refresh the scope and frequency of risk management reporting for the Board of Directors, Audit Committees, Senior Management, and Lines of Business. With broader obligations for regulatory compliance and operational risk, determine the need to conduct education on risk for board members and executives. Broaden the depth of risk management content provided to the Audit Committee and Board of Directors with enhanced reporting so that the Board can more actively participate in evaluating the effectiveness of executive management in managing risk. While only larger institutions will be immediately examined for their risk appetite statement, the process to define and create that statement can identify gaps in risk coverage for your existing risk management reporting.

    3. Leverage industry frameworks for risk management and controls

    COSO Cube-Newsletter

    Changes in business and operating environments require updates to risk approaches. Information Technology functions have focused on leveraging the National Institute of Standards and Technology (NIST) cyber security framework. Publicly held companies subject to Sarbanes-Oxley (SOX) Section 404 compliance may be upgrading to 2013 COSO Framework. Leverage the industry resources available for assessing key functions, including: control environment, risk assessment, control activities, information & communication, and monitoring functions. Identify tools to conduct self-assessments of the adequacy of control committees, or roles and responsibilities for control process owners within your organization.

    The pendulum for risk management and corporate governance has shifted sharply in today’s regulatory landscape. Initial compliance to the heightened expectations requirements will shift resource allocation within larger financial institutions to risk and audit functions. The themes and principles for governance learned from enforcement actions can be a good indicator for community banks for areas of focus to apply within their own organization. Building a three year strategic plan on how to address your financial institution’s current and expected risks will enable your organization to respond more effectively to further shifts in regulatory expectations. Most financial institutions and service providers have codes of conduct or value statements – today’s landscape makes those statement an integral aspect to your risk management program. The principles of the minimum standards can serve as a building block to the risk management program foundation your organization maintains. The heightened expectations raise the profile of the risk management and compliance function for all players in the financial services landscape.

    Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    When it Comes to Third Parties...

    12-08-2014

    Many moons ago when I was in internal audit a friend of mine who was an application manager within the same company brought me an interesting request; he wanted me to audit his application. I was a bi[...]

    Many moons ago when I was in internal audit a friend of mine who was an application manager within the same company brought me an interesting request; he wanted me to audit his application. I was a bit befuddled, and when I asked “why” he informed me that his application contained the formulations of all of the company’s sauces and similar products throughout the world. I asked him when the last time he was audited was and he quipped “never”.

    This got me thinking as I started getting similar responses with regards to companies either delaying assessments – or flatly not performing assessments – of third party services providers (TPSPs) who may be receiving non-personally identifiable data.

    Third parties receiving personally identifiable information (PII) data – which includes protected health information (PHI) and card holder/payment card industry (PCI) data – seem to be getting most, if not all, the attention of vendor risk managers due to regulatory or industry scrutiny. Such scrutiny is justifiable as breaches can bring on fines (if the entity is regulated), class-action lawsuits, severe reputational risk, and the like. However, this is still no reason to delay or flat-out ignore assessing TPSP’s not receiving PII. Sadly, I’ve witnessed many companies focus their efforts solely on customers/client data.

    According to a recently published E&Y study ((http://www.ey.com/Publication/vwLUAssets/EY-global-information-security-survey-2014/$FILE/EY-global-information-security-survey-2014.pdf)) fielding responses from 1,825 enterprises, careless employees, outdated security controls and use of cloud computing, were cited as the main areas that businesses said increased their risk exposure during the past 12 months. The study also noted that, “stealing intellectual property or data” was one of the top concerns relating to cyber threats companies need to contend with. You read that correctly, “intellectual property.”

    Any TPSP coming in contact with what I call “CIPS” data – confidential (financial, compensation, other non-published data), intellectual property (copyrights, patents, trademarks, formulations), and/or strategic (mergers and acquisition plans, marketing initiatives) – should also be assessed on a periodic basis in the same manner as PII data. I can assure you many executives would worry about CISP data falling into the hands of a competitor due to an incident at a TSPS which caused it to either be exposed or missing due to inadequate controls. As witnessed recently, incidents with TPSPs having unauthorized access to data, access to unencrypted data, missing backups and flash drives, and the disappearance or stealing of stolen laptops continue to occur with upsetting regularity.
    To begin the discussion of frequency of reassessing your vendors handling CIPS data, one should consult the appropriate C-suite stakeholders, such as the chief officers in the information security, privacy, and legal offices. Once the frequency has been established the next step is to determine whether they should be assessed with the same scrutiny as those receiving PII data.

    The Program Tools of the Shared Assessments Program are excellent in assisting in this regard.
    The Standard Information Gathering (SIG) questionnaire – the standard for assessing overall privacy and security posture – is the trust component tool in your assessment arsenal. The SIG helps to ensure you are obtaining all of the information necessary to conduct an initial assessment of a TPSP’s IT, privacy, and data security controls.

    The verify portion of the Program is the Agreed Upon Procedures (AUP), as it allows an assessor (whether internal or external) to validate the answers provided by the TPSP to your SIG questionnaire. If you choose to do this onsite, it also sets forth the risk controls areas to be assessed, as well as the procedures to be followed while conducting the assessment and the sampling procedures to use.
    Third party organizations receiving your CIPS data should be under similar scrutiny as those receiving your PII data. As trends evidence, breaches to CIPS data is increasing, and the time has never been more critical to start reviewing your vendors privacy and security controls in handling such data.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Visual Hacking: Who’s Lookin...

    11-24-2014

    I recently attended the Ponemon Institute’s Responsible Information Management (RIM) Renaissance Privacy Event. While headlines and discussion continue to focus on cybersecurity; privacy professiona[...]

    I recently attended the Ponemon Institute’s Responsible Information Management (RIM) Renaissance Privacy Event. While headlines and discussion continue to focus on cybersecurity; privacy professionals also had good conversations about the basics of visual privacy. Protecting confidential information is a basic privacy principle – and it is easy to overlook the reminders with our mobile and ever connected work environment.

    Let’s start with the basics:

    • Visual Privacy: The act of protecting sensitive, confidential, and private information from visual hacking
    • Visual Hacking: A low-tech method used to capture sensitive, confidential, and private information for unauthorized use

    In a Visual Data Breach Risk Assessment Study, respondents indicated that 67% of employees access sensitive or confidential data in public. 70% of companies indicated that they had no explicit policy on working in public places. 50% of responders had experienced a violation of visual privacy.

    Employees today are connected at all times – phones, tablets, laptops. Access is pervasive 24/7 and that means access is in all types of places. Unauthorized access to confidential information is not limited to consumer data or financial data – it includes your company’s intellectual property and information assets. Even conducting routine email on devices that can be seen by others can put confidential information at risk, if employees are not careful in managing their use of the device. Security and Privacy Training and Awareness programs should adapt and ensure that reminders and policies are in place for employees regardless of where they are conducting their work.

    Access is not limited to public places – employees may work from home, where active computer screens or paper documents can be viewed by unauthorized people. Organizations are moving more to open floor plans and that creates the need for broader awareness of the “need to know” concept, if confidential information is more readily visible in office locations.

    Tips for success to reduce your risk of visual hacking:

    • Review your policies to confirm if you have address Visual Privacy requirements, including access in public place
    • Enhance your training and awareness program to provide user tips for access on mobile and smart devices
    • Conduct a floor walk after hours to confirm the usage of “clean desk” adoption
      Conduct a floor walk during office hours with an unknown person and see how much confidential information can be viewed, seen or collected within one hour.
    • Automate screen saver settings to enforce lock down of screen access without use
    • Check with IT to see if simple user tips or reminders can be added to screen saver settings
    • Create a “Travel Safe” campaign to address access on planes, at hotels, at coffee shops

    Protecting confidential information is a basic building block of privacy. Visual Hacking can be prevented, but only if employees increase their privacy awareness of their surroundings and follow basic tips to protect visual privacy. Help employees with reminders so you don’t have to worry about who shoulder surfing your company’s confidential information.

    To learn more about Visual Hacking, check out the Visual Privacy Advisory Council.

    Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Third Party Risk Certification...

    11-20-2014

    Goodwill Industries recently fell on bad times when a vendor’s system was attacked by malware, giving criminals access to payment card information—names, payment cards, and expiration dates ((http[...]

    Goodwill Industries recently fell on bad times when a vendor’s system was attacked by malware, giving criminals access to payment card information—names, payment cards, and expiration dates ((http://www.goodwill.org/press-releases/goodwill-provides-update-on-data-security-issue/)). This appears to be a sign of the times. Over the past year or so, several major retailers have experienced a breach in which a third party played a role: Target ((http://krebsonsecurity.com/tag/target-data-breach/)), Viator ((http://www.viator.com/about/media-center/press-releases/pr33251)), Lowe’s ((http://www.fierceitsecurity.com/story/third-party-vendor-behind-possible-lowes-data-breach/2014-05-26)), and AT&T ((http://www.databreachtoday.com/att-reports-third-party-breach-a-6956)).

    Breaches are a fact of life; however, one wonders the effectiveness of these companies’ third party risk management strategies. Doing business in an outsourced economy requires expertise to meet the necessary strategies, processes, and practices when evaluating and managing vendor risk and overseeing the security of sensitive data once it’s in the hands of third parties.

    Expertise in risk management is best-learned and maintained though certification programs. These certifications help professionals stay current with regulatory requirements, threats to data, and industry best practices. Over the years, risk management certifications have evolved from the general aspects of risk, privacy, and security to address more specific areas like IT/privacy. Unfortunately, no risk certification exists for addressing the unique expertise for vendor risk management.

    Until now.

    The Shared Assessments Certified Third Party Risk Professional (CTPRP) Program

    The Certified Third Party Risk Professional (CTPRP) designation developed by the Shared Assessments Program is a new certification that validates proficiencies in assessment, management, and remediation of third party risk issues. Once certified, CTPRP holders will have a thorough working knowledge of third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and knowledge of the fundamentals of vendor risk assessment, monitoring, and management.

    The CTPRP certification, the first of its kind, is ideal for third party risk, procurement and compliance professionals including business vendor managers, risk managers (vendor or operational), vendor IT security managers, IT auditors/assessors, and IS auditors/professionals. The CTPRP designation validates the holder’s expertise, and provides professional credibility, recognition, and marketability to its holders.

    CTPRP Requirements

    CTPRP certification requirements include a minimum of five years experience as a risk management professional, in a position that demonstrates proficiency in assessment, management, and remediation of third party risk issues; peer training; participation in Shared Assessments program committees and workshops; mentoring; attending related workshops and other training events; and successfully passing CTPRP examination. Individuals who do not hold the minimum five years experience may use the course and exam for training and education purposes, then reapply once five years experience is earned.

    With so much at stake in the event of a data breach—lost revenue, significant brand damage, lawsuits, fines—companies need to take a closer look at their third party risk management practices. Risk management professionals seeking certification through the Certified Third Party Risk Professional program is an indicator that organizations are taking proactive responsibilities to getting their third party risk programs in shape.

    Your Opportunity to Certify Is Coming Soon!

    Upcoming CTPRP Workshops & Examination Dates:

    January 22 – 23, 2015
    Phoenix, AZ

    February 25 – 26, 2015
    New York, NY

    *April 30 – May 1, 2015
    Baltimore, MD

    *The Certification Workshop and Exam directly follow the 8th Annual Shared Assessments Summit 2015 Attending the Summit will earn educational credits that can be applied towards maintaining your certification. Register to attend the Summit here.

    To learn more or to register for an upcoming CTPRP workshop and exam, please visit www.sharedassessments.org or contact Nicole Musolf, Project Manager, at 505-466-6434 or Nicole@santa-fe-group.com.

    Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.

    No Playing Hide and Seek With ...

    11-17-2014

    The FFIEC recently released its Cyber Security Assessment observations, after conducting a pilot on cyber security readiness with more than 500 community institutions. A key theme emerging from the ob[...]

    The FFIEC recently released its Cyber Security Assessment observations, after conducting a pilot on cyber security readiness with more than 500 community institutions. A key theme emerging from the observations was the need for enhanced sharing of threat and vulnerability information across the public and private sectors. The rapid pace of change in emerging risks requires faster response and strong collaboration between financial institutions and critical technology service providers.

    Understanding Inherent Risk

    A starting point in looking at a cyber security assessment is the fundamental inherent risk. Financial services as an industry has higher risk, due to the nature of the sensitive financial information they maintain, but also the high profile of banking and its impact to the U.S. economy. However, risk levels can vary significantly between different financial institutions.

    Risk levels can differ by size, scale of operations, and even the types of products and services the institution offers. A challenge for risk professionals is to balance the risk mitigation story with management to understand the risk baseline, before consideration of the risk-mitigating controls the organization may have in place.

    A Connected Landscape

    Banking today relies on connections: Connections between users, connections between systems, and connections between devices. In a connected landscape, assessing your risk begins with conducting an inventory of the types of connections your organization maintains.

    Once that inventory is complete, review your approach for how you evaluate the risk that connection brings to your organization. Risk factors can include the security controls in place; the type of data passing through that connection; or what systems and databases could be accessible. This assessment should consider both internal and external threats; including interfaces to third parties that are critical to day to day technology operations.

    Don’t Hide From the Hacker – Think Like the Hacker

    As you evaluate your products and services – consider the type of feature functionality, the level of financial risk to the transactions, and what harms could come to your account holder if the product or service was compromised. Organizations need to increase their cyber security awareness of the different types of threats and attacks that hackers use for different types of products and services. Put yourself in the hacker’s mindset and ask yourself where the threat could be hiding within your organization. It is easy to focus on only the technology, but at times people can be the bigger threat.

    As most organizations review and analyze the FFIEC observations and recommendations; here are the highlights I thought most interesting in their release from a do’s and don’ts perspective:

    • Risk Management & Oversight: Do increase the frequency and depth of coverage of cybersecurity with executive management and the Board of Directors. Don’t let security training and awareness content get stale, or an annual check the box exercise.
    • Threat Intelligence & Collaboration: Do define the roles and responsibilities for monitoring risks & threats. Don’t wait for an incident to establish the protocols for information sharing on vulnerabilities or processes to coordinate with law enforcement.
    • Cyber security Controls: Do assess and review your information classification and controls standards. Don’t treat the frequency of scans of systems the same – some systems require more frequent risk review to find vulnerabilities.
    • External Dependency Management: Do address third party risk based on the nature of the risk that relationship brings to the organization. Don’t treat every third party vendor the same, as your resources need to focus on the higher risk processes and connections.
    • Cyber Incident Management & Resilience: Do assess how incident notification processes work within your organization and between critical third parties. Don’t underestimate how a cyber-security event could trigger a broader business continuity scenario, and consider how to find connections between incident handling and crisis communication processes.

    We can’t hide from cyber security risk, but we can seek to assess that risk, share information with others and collaborate on the key governance models for cyber-security preparedness.

    Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    PRESS RELEASE: Certification P...

    11-12-2014

    PRESS RELEASE: Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com Certification Program Developed Speci[...]

    PRESS RELEASE:
    Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508,
    lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com

    Certification Program Developed Specifically for Risk Professionals

    The Certified Third Party Risk Professional (CTPRP) Designation Validates
    Third Party Risk Management Expertise

    Santa Fe, NM — November 12, 2014 — Recent high-profile data breaches have spotlighted third party risk, resulting in increased vendor management awareness. Doing business in an outsourced economy requires special strategies, processes, and practices when evaluating and managing vendor risk and overseeing the security of sensitive data once it’s in the hands of third parties. The Certified Third Party Risk Professional (CTPRP) designation developed by the Shared Assessments Program, the trusted source for third party risk management, is a new certification program that validates proficiencies in third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and the fundamentals of third party risk assessment, monitoring and management.

    The top findings of the 2014 Vendor Risk Management Benchmark Study reveal that current third party risk management practices cross-industry—especially insurance and healthcare—are vulnerable and lacking in governance, policies, standards, and procedures. The CTPRP certification designates experienced risk professionals with specialized skills and training in third party risk management practices. As a result, having this certification will help organizations increase their commitment to customer privacy, compliance, governance, and risk management best practices.

    “With so much at stake in the event of a data breach—lost revenue, significant brand damage, lawsuits, fines—companies need to take a closer look at their third party risk management practices,” said Tom Garrubba, MIS, CISA, CRISC, CIPT, CTPRP, senior director, the Santa Fe Group and Shared Assessments Program. “Risk management professionals seeking certification through the Certified Third Party Risk Professional program is an indicator that organizations are taking proactive responsibilities to getting their third party risk programs in shape.”

    CTPRP Certification Reinforces Organizations’ Commitment to Vendor Risk Management
    CTPRP certification requirements include a minimum of five years experience as a risk management professional, in a position that demonstrates proficiency in assessment, management, and remediation of third party risk issues. In addition to successfully passing the CTPRP examination, continuing education is needed to ensure CTPRP holders stay current with changes to regulations, standards, and guidelines. CTPRP holders who are not currently participating in Shared Assessments through a member organization have the opportunity to join as an individual member of the Program, and gain access to members-only educational resources and networking opportunities with third party risk management peers.

    Shared Assessments will offer two CTPRP certification workshops and exams each quarter. First quarter 2015 events will be held January 22-23, 2015 in Scottsdale, AZ and February 25–26 in New York City. The next CTPRP certification workshop will be held April 30-May 1, 2015 in Baltimore; directly following the 8th Annual Shared Assessments Summit 2015. Summit attendees will earn educational credits that can be applied towards certification. To register or to learn more about the Shared Assessments Certified Third Party Risk Professional (CTPRP) program visit https://sharedassessments.org/certified-third-party-risk-professional-ctprp/.

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at www.sharedassessments.org.

    ###

    FFIEC to Update Cybersecurity ...

    11-04-2014

    The FFIEC issued its general findings from an assessment of over 500 community based financial institutions this summer. In its November 3rd press release, the FFIEC discussed the growing need for tig[...]

    The FFIEC issued its general findings from an assessment of over 500 community based financial institutions this summer. In its November 3rd press release, the FFIEC discussed the growing need for tighter cybersecurity measures and indicated that it was already in the process of reviewing and updating the existing guidelines for managing cybersecurity risk.

    The FFIEC assessment focused on two primary areas of risk: determining senior managements’ level of understanding of the inherent risk from cybersecurity threats and vulnerabilities; and, the extent to which institutions were prepared to assess and address those risks.

    In reviewing levels of inherent risk the FFIEC encouraged financial institutions to understand the types of connections used to access systems and data; whether certain products and services introduced additional cybersecurity risk to the institution; and, understand the cybersecurity risks associated with the various technologies used to deliver those products and services.

    The FFIEC’s assessment of cybersecurity preparedness focused on an institution’s ability to proactively identify/assess cybersecurity risks; the processes and controls in place to address those risks; and, how well an institution managed its cybersecurity exposure at third party service providers.

    The updated FFIEC Guidance on cybersecurity risk is expected to encourage financial institutions to develop and maintain dynamic risk control environments that proactively manage cybersecurity threats to the institutions themselves as well as their third party service providers, and to continue the development of sophisticated business continuity and disaster recovery plans. No specific time frame was provided for when the new cybersecurity guidance would be issued. However, in the interim it would be prudent for financial institutions to begin increasing their efforts in the areas focused on by the FFIEC in its Cybersecurity General Observations.

    Brad Keller has more than 25 years of experience developing and leading risk management and third-party risk assessment programs Today Brad is the Director of 3rd Party Risk & Compliance at Prevalent, Inc. where he focuses on the delivery of Prevalent’s third party risk management and assessment solutions, and the consulting to support those solutions.

    Reposted with permission from the Prevalent blog.

    Apple Pay is Live and Has (Jus...

    10-30-2014

    Apple Pay hit the streets with the release of IOS 8.1 the week of October 20th and at least at the physical point of sale, the mechanics largely seem to be working as planned. With the exception of ab[...]

    Apple Pay hit the streets with the release of IOS 8.1 the week of October 20th and at least at the physical point of sale, the mechanics largely seem to be working as planned. With the exception of about 1000 Bank of America customers who experienced quickly corrected duplicate charges, there have been few reported issues with in-store use.

    That’s not to say the customer experience has been uniformly ideal. I’ve used Apple Pay twice at launch partner merchants. At both merchants, the clerks knew nothing about Apple Pay, and one of the two clerks told me flatly the service would not work. In fact, Apple Pay worked perfectly at both locations. At a third merchant, also a launch partner, no one knew what Apple Pay was (one person behind the counter thought I was asking for apple pie) and the location had no customer facing terminal that could possibly work with the service. A quick call to the merchant’s headquarters revealed that the chain still had 3,000 locations (a small minority of its U.S. sites) to convert, and that it hoped to have that work done quickly.

    Despite the hiccups, my early experience with Apple Pay suggests that the service really is easier and faster than using plastic at the point-of-sale. With less friction of use and more security than other payment methods offer we might expect Apple Pay to be a sure winner. But other events in the last week or so suggest there is a battle ahead, and that security may not be upmost in the minds of all players.

    We’ve seen two major drug store chains, CVS and Rite-Aid, generate headlines by turning off sporadically available Apple Pay access after some customers reported successful use, even though both chains had never signed up for Apple’s new service. Merchants associated with the Merchant Customer Exchange (MCX), including CVS and Rite Aid, are behind an alternative wallet, CurrentC, which does not allow payments from bank issued debit or credit cards. Although MCX merchants in the past have been vocal about the lack of security around credit and debit card transactions, their early absence from the Apple Pay ecosystem suggests that there is more than security at stake for these stakeholders. By avoiding bank issued credit and debit cards and relying only on decoupled debit (with customer checking account data stored in the cloud) and merchant issued credit cards, MCX is betting its merchants can provide enough of a value proposition to avoid customers being concerned about the heavy personal information use and data storage issues the wallet may generate.

    On October 28th MCX announced that it had been hacked and that testers’ email addresses had been compromised (see http://www.mcx.com/blog/1028-email-incident-report/). MCX also said on Wednesday that it would not fine retailers if they chose to leave the group.

    Readers can find a summary of how MCX works at: http://techcrunch.com/2014/10/25/currentc/

    For information about Apple Pay mechanics, see the article below, originally posted on September 12th.

    Apple Pay – And Dynamic Payment Tokens
    (originally posted on Shared Assessments Authorities on Risk Assurance September 12, 2014 blog)

    Although Apple’s payments announcement was not a surprise, the platform’s mechanics were largely unknown before Tim Cook’s on-stage introduction at the Flint Center in Cupertino. Cook set the context for Apple’s payments vision quite accurately:

      “Most people that have worked on this have started by focusing on creating a business model that was centered around their self-interest instead of focusing on the user experience. We love this kind of problem. This is exactly what Apple does best. And so, we’ve created an entirely new payment process and we call it Apple Pay.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))

    Security has been increasingly central to user concerns about all electronic payments processes, and the confirmation of another large data breach at Home Depot has kept the focus on a threat that is arguably unsustainable if we are to avoid a crisis of confidence in consumer payments. So Apple’s introduction of a payments process that goes further than others in mitigating risks at both the physical and virtual points of sale is a very big deal indeed.

    Let’s have a quick look at how Apple Pay works. Transactions are authorized using the biometric finger print detection functionality that’s on the latest iPhones, and that’s only after a user has entered a PIN to log on to the device. So we start with biometrics, a strong plus. Cook explained:

      “…when you add a new credit card, we don’t store the credit card number, we don’t give it to the merchant.

      “We create a device-only account number [token] and we store it safely in the secure element and each time you pay, we use a one-time payment number [dynamic payment token] along with a dynamic security code so you no longer have the static code on the back of your plastic card and if your iPhone is lost or stolen, you can use Find my iPhone and suspend all of the payments from that device… Now, security is at the core of Apple Pay, but so is privacy.

      “We are not in the business of collecting your data. So, when you go to a physical location and use Apple Pay, Apple doesn’t know what you bought, where you bought it, or how much you paid for it. The transaction is between you, the merchant and your bank. It’s fast, it’s secure and it’s private.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))

    Apple Pay, then, uses dynamic payment tokens that change with each transaction, a real secure element (no host card emulation), a protocol where no Primary Account Numbers (PANS) are stored anywhere on the device, biometric-only payment authentication and initiation, and an easy to use transaction initiation process that works both at the physical point of sale and in cyberspace. The process uses existing rails and focuses on payments instruments (bank credit and debit cards) that consumers have historically seen as best way to pay. Clearly, there’s a lot here to like, including – for me in particular – the use of dynamic payment tokens, which materially contribute to making the process less risky.

    What are the real world issues that could hold back Apple Payments? Although many large issuers are backing the program, many large merchants are not. Walmart and Best Buy, for example, have said they do not plan to participate –at least initially – because of contractual obligations related to their participation in the Merchant Customer Exchange, a retailer owned payments group that is about to launch a QR code based competitive product called CurrentC. CurrentC will support debit functionality linked to a customer’s checking account (de-coupled debit), retailer branded credit and debit cards, and retailer branded gift cards – but not general purpose bank credit or debit cards. Other major merchants who are leading the Merchant Customer Exchange include CVS, Loews, Publix Supermarkets, Target, Sears, Shell, and Sunoco. None of these merchants are likely to be near term Apple Pay participants.

    Then, of course, there are other payments competitors, such as Amazon and PayPal, which have not announced whether they plan to play in Apple’s sandbox.

    No new product entry is a sure thing, Apple Pay included, but we think Apple Pay is currently about as good as it gets in terms of a customer-centric, easy to use, and secure payments process.

    For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

    Putting Pandemic Planning into...

    10-29-2014

    Media headlines continue to debate the world response to the current Ebola crisis. The spread and attention to protocols has resurrected pandemic concerns, even though the Ebola virus is not airborne.[...]

    Media headlines continue to debate the world response to the current Ebola crisis. The spread and attention to protocols has resurrected pandemic concerns, even though the Ebola virus is not airborne. Pandemic planning can be an important component of business resiliency plans depending on the nature of the business, and the risks for operations if people are ill or quarantined for extended periods of time. While the usage of lockdowns and discussion of airport security controls makes for headlines on the news shows, managing risk for any pandemic starts with basic risk assessments. The World Health Organization (WHO) is updating their recommendations as they monitor this outbreak.

    I remember receiving my first due diligence questionnaire on Avian bird flu as a service provider that was sent as a mass mailing to all vendors of the requesting financial institution. At that time the risks and concerns world-wide were considerate; the approach of a mass mailing made the due diligence effort feel more like an exchange of paperwork to check a rudimentary business continuity compliance box vs. an assessment of the true third party risk.

    As recent influx in guidance has shown, regulatory oversight of third party service providers is at an apex not seen in recent decades. Whether serving financial institutions, healthcare companies, energy, education, or government sector, each business vertical should assess risks for a pandemic and apply a risk based approach to defining the level of assessment of readiness to their third party service providers. The starting point is to look internally at the risk to your own operations, if your employees or customers were at risk for contracting or spreading a communicable disease. The next lens is to look externally to your base of third party relationships and assess or triage their service to your organization, and the likelihood or risk their service to you could be affected by restrictions in their people resources due to a disease like Ebola.

    Traditionally, geography has played a factor in the development of business continuity and disaster recovery plans. Earthquakes, Hurricanes, Tornados, Floods can at least be planned for based on the likelihood of known environmental factors or anticipated weather patterns. The spread of disease however is based on human factors, and that is not only hard to predict, but more difficult to manage and contain. While the source of the current outbreak is focused in a particular geographic region; we live in a very connected world. The focus on airport security and travel controls is thus an expected priority to help prevent the spread of disease. However, due to that same interconnectedness of technology and a global marketplace, organizations are also very dependent on third party service provider relationships.

    The starting point is the internal and external risk assessment.

    Review your existing risk profile within your organization
    Consider these thoughts on some considerations on how to begin to develop a risk based approach to defining your organizations’ response to pandemic planning in light of recent events.

    • Is your organization in a unique situation of having greater potential of direct interaction with provision of service to people who may have come into contact with affected people?
    • Do you serve a geography that has greater potential for having people traveling to/from the affected regions?
    • Are your operations highly dependent on people and the availability of the labor force?
    • Do you have an existing business continuity plan that accounts for the potential of quarantines or long term employee absences?
    • Does your organization have critical third party service providers that are highly resource or people centric?

    Assess your third parties for risk outside your organization

    In a risk based approach to third party risk, organizations triage and determine which third parties have a higher risk to your organization due to pandemic business continuity, based on the nature of the services they are providing. Consider your dependency on their services, and the degree to which that service is directly related to supplier personnel. The first step is to review your inventory of vendors to determine which third parties have the greater potential to impact your operations, if they incur staffing challenges due to pandemic or Ebola risks. The second step is to then assess the need to confirm your third party vendor’s readiness to respond to the related risks. Third step, ensure you evaluate your contingency plans or readiness plans across suppliers.

    Here are initial considerations to assess and confirm with only your critical third party service providers that have the greater potential to disrupt operations due to staffing challenges resulting from quarantine or long-term employee unavailability.

    • Does your third party supplier operate in a geography that has greater potential for having people traveling to/from the affected regions?
    • Is the service the third party provides, highly people-centric, or requiring dedicated staffing levels?
    • Does your third party supplier have geographically dispersed operations to minimize risk of localized outbreaks of diseases?
    • Does your third party have the capacity to enable work from home for critical functions?
    • Does your contract or SLA address parameters for business continuity for situations of pandemic?

    Bottom line, monitoring business continuity risks for pandemics is important – Ebola brings a different nuance to that planning due to the unique nature of the spread of the disease. Organizations should not create a “one size fits all” approach to risk assessment for pandemics – each disease is different. When addressing third party risk, resources need to focus on the critical suppliers that pose the greatest risk potential, vs. a cookie cutter vendor questionnaire approach.

    Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Vendor Risk Management – Kee...

    10-23-2014

    I’d like to make a bold statement: vendor risk management is easy. Step 1: Use contracts to set expectations, secure audit rights and transfer liability. Step 2: Conduct an assessment to determ[...]

    I’d like to make a bold statement: vendor risk management is easy. Step 1: Use contracts to set expectations, secure audit rights and transfer liability. Step 2: Conduct an assessment to determine if expectations are being met. Step 3: Remediate any issues identified during the assessment. This is very straightforward work.

    If this work is easy, why do we struggle with it? The answer is simple – resource constraint. Very few vendor risk management programs enjoy sufficient budgets to address all of the risk we intuitively know is out there. The effort to truly understand and report on an organization’s information security architecture and associated controls can take (at least) several person-weeks. Add statistically meaningful sampling to that and you can expect to double the effort or more. Add operational risk and double the estimate again. Unfortunately, if you’re in the vendor risk management space, you’ll be lucky to be able to devote more than a day or two to assessing a vendor. In fact, I’m aware of several financial institutions that expect each of their assessors to complete upwards of 100 vendor assessments per year.

    To accomplish such goals, we use questionnaires like the Shared Assessments Standard Information Gathering (SIG) questionnaire to get our vendors to self-assess and we develop prioritization schemes to restrict who we assess and how frequently we assess them. We purposefully cut the corners where we perceive the risk is lower. Given the inherent resource constraints, this type of risk-focused optimization is appropriate and proper. Unfortunately, summarizing a comprehensive audit into a two-day assessment doesn’t hone in on risk. Instead, it usually results in some sort of awkward policy review.

    Too often I see organizations use the number of vendor’s they’ve assessed, the size of their questionnaire, or their ability to find issues with their vendors’ policies as evidence of the success of their vendor risk management programs. While these completeness metrics are operationally useful, they don’t necessarily get to the heart of the matter.

    I humbly propose that the best vendor risk management programs are the ones that resolve the most risk per unit of investment. So, instead of thinking in terms of cutting low-risk corners, I think in terms of focusing my limited resources on high risk targets – then making sure that the issues identified get resolved. There’s nothing more pointless than investing in issue enumeration without issue resolution.

    Therefore, I design my vendor risk management programs to focus on:

    • High-risk vendors – Focus assessment investment where exposure is the greatest.
    • Controls that directly mitigate high-risk incidents – Consider patch management. Policy may be a predecessor for the vendor’s success but I want to see screen shots of patches. Policy review takes time and doesn’t provide the final answer. I look, instead, at evidence of patching.
    • Controls that fail frequently – Many controls require an accurate inventory: access control, patching, media management. If the vendor can’t count what they need to apply the controls to, how can they succeed? And, as experience shows, maintaining accurate inventories is hard. Checking inventory accuracy is easy; and it’s an excellent leading indicator for probable control failure.
    • Easy-to-find issues – give me the most from my assessment budget.
    • Easy-to-fix issues – give me the most from my vendors’ remediation budgets (they’re resource constrained too.)

    At the end of the day, it’s not about vendors assessed, questions asked, or, absent the proper focus, issues resolved. It’s about targeting where the largest risks hide, enumerating those issues, and fixing them without excuse. When budgets are tight, as they always are in the vendor risk world, resolving the most risk starts with a focus on high-risk controls at high-risk vendors and ends with remediation. The assessment itself is just the glue in between.

    John Nye, CISA, CISM, CRISC, CISSP, is the Director of Technology Risk Solutions at ProcessUnity, a cloud-based provider of GRC solutions. He is responsible for the governance of ProcessUnity’s cloud-based, software-as-a-service solutions and advises clients in the art of third party vendor risk management. Nye has worked with firms such as @stake, Symantec and Moody’s as an assessor of third-party risk and has served as an information security executive for a mid-size technology service provider – protecting information and managing corporate risk from both sides of the due-diligence table

    Whither Bank Regulation: Are W...

    10-14-2014

    I began my banking career in 1978 at an eight-branch affiliate of a $3 billion bank holding company. One of my roles was security officer. The prevailing law addressing bank security is the Bank Prote[...]

    I began my banking career in 1978 at an eight-branch affiliate of a $3 billion bank holding company. One of my roles was security officer. The prevailing law addressing bank security is the Bank Protection Act of 1968. In 1978 the operative regulation implementing the Act was Regulation P (for Protection. Reg P now stands for Privacy). Reg P wasn’t long, just a few pages. But it included Appendix A, which was much longer. Among other things, Appendix A prescribed the construction of bank vaults, including the thickness of vault walls and doors, the number of tumblers in the combination, the type of ventilation. The Appendix also addressed the steps bankers had to take when entering their branch before opening, the amounts and denomination of marked currency designated to be given to robbers. It described the required types and locations of surveillance cameras as well as the frequency of film exchange. It was, I think, an exemplar of the mindset behind prescriptive bank regulation. In that period, regulation was binary: you were either in compliance with the relevant regulation or you weren’t. Everyone knew the rules. But the rules didn’t always make sense. And every activity required its own rule. When Appendix A of Regulation P was first promulgated, 35mm film cameras were the state-of-the-art. Of course one of the few eternal verities is that technology always overtakes law; and, so too, over the years video overtook film both in terms of quality and cost.

    This is just an overwrought example of why, beginning in the mid-1980’s, the regulatory agencies began migrating toward risk-based examination. It became accepted wisdom that each bank presented a unique risk profile, based on its products, services, and market areas. Teams of examiners were assigned full-time to large banks because it was believed that resident examiners who were more familiar with their bank would be better able than examiners descending on the bank for its periodic safety and soundness examination to assess the bank’s management of its unique risk profile. At the same time, the tone of regulations changed. The agencies issued “guidance”, using words like “should” and “consider”, instead of “shall” and “will”. One admittedly cynical description of risk-based examination is “We won’t tell you what to do, but we’ll sanction you when you don’t do it”.

    Bank regulation is like a pendulum. And pendulums tend to swing in one direction or the other seeking equilibrium. And the farther they swing to one side, the longer they take to achieve equilibrium. Just as in the 1970’s they had swung too far in the prescriptive direction, by the turn of the Century they had swung pretty far in the risk-based direction. Since the banking crisis in 2008, however, the arc seems to have changed direction back toward prescriptive. The agencies still issue guidance, but the tenor is changing. It will be interesting to track just how far the pendulum will arc.

    Santa Fe Group Strategic Advisor, Bob Jones, has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

    Healthcare Breaches Take Anoth...

    10-06-2014

    I was recently in the car listening to Janis Joplin’s “Take Another Little Piece of My Heart,” and it triggered a conversation I had a while ago with a banking executive regarding the similariti[...]

    I was recently in the car listening to Janis Joplin’s “Take Another Little Piece of My Heart,” and it triggered a conversation I had a while ago with a banking executive regarding the similarities and differences between financial and health data breaches. While we agreed that financial breaches – on the surface – appear to be the most taxing on the affected individual (stress due to working with financial institutions to recover missing funds, late fee charges, interest, credit worthiness issues, etc.), I informed him that health data breaches take a more personal and longer toll on the affected party simply because you are now at the mercy of the individual who is now in possession of your data.

    Let’s look at why this is the case.

    Once you have been notified of a financial breach – either by your financial institution, the breached entity itself, or by discrepancies in your account – you take the normal steps of working with these entities to shut down the account, work to identify and rectify any fraudulent purchases, sign up for credit monitoring (which the breached entity usually covers for a short term period), get a new account established, and ultimately, you return to your life.

    Sadly however, you receive no such relief or graces when it comes to a health data breach. You can’t simply request the covered entity (company providing the healthcare service) or the business associate (third party service providers to the covered entity) provide you a new account and get “free monitoring” as to the use of your stolen health records.

    Reality settles in when you realize that the information that is supposed to be private between you, your family and your doctors, is now assumed to be floating around somewhere – in some manner – on the Internet. Once your health data is breached, assume anyone and everyone will have access to your medical history. Your physical-medical background (aches and pains), your mental-medical background (psychiatric evaluations), your prescriptions, etc., are now likely somewhere on the Internet. You’re now left with hoping this information never falls in the hands of a fraudster to be used in an inappropriate manner. Sadly, as we know all too well, hope is not really an option. Such data can be used (as has been reported in the 2013 Survey on Medical Identity Theft conducted by the Ponemon Institute and sponsored by Medical Identity Fraud Alliance) for defrauding the healthcare system via bogus medical service and product claims, costing taxpayers in the billions. Also, knowing that your data can pop up anywhere and at inconvenient moments (Facebook, blogs, etc.) in the form of cyberbullying, or worse, blackmail, should send chills down your spine as to the various possible missuses of your health data.

    What has disturbed me in all of this is that I have yet to identify a single report of any hospital, nursing agency, or similar healthcare entity offering free or compensatory services as a way to help heal and sustain the customer relationship. They know they messed up and the truth of the matter is that you can never get your medical history back into the confidential lockbox. The breached entities are now waiting for the class-action lawsuit to hit them (and even for personal lawsuits down the line) and the only monitoring they may be doing is of their own finances as they prepare for hefty payouts to the injured parties, as well as in fines imposed by Health and Human Services (HHS) who govern the use of protected health information (PHI) via HIPAA.

    Hospitals, medical centers, and the like are continuously investing in new medical technologies (scanners, lasers, etc.) as they should; however, technologies to ensure patient data protection should not play second fiddle. We see advertisements on television and magazines as to how these entities are investing in new technologies, but less face it, it’s simply not sexy (for lack of a better word) to mention on TV or in a glossy ad “…we utilize the latest network and enterprise encryption and monitoring technologies across our enterprise. Furthermore, our superior data access controls and periodic policy reviews help to ensure your medical records are safe”.

    Until we can start to see covered entities and business associates working to maintain and sustain trust in their patients by continuously ensuring there is adequate financial and human capital to support technologies and programs to safeguard health data, then health data breaches may move from becoming extraordinary to becoming ordinary.

    And if that occurs, “Take another Little Piece of My Heart” may actually have an entirely different meaning.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    No Secrets: Reporting Obligati...

    09-29-2014

    Once upon a time, privacy and information security were an afterthought during contract negotiations. But breach notification has fundamentally changed the process, causing organizations to become inc[...]

    Once upon a time, privacy and information security were an afterthought during contract negotiations. But breach notification has fundamentally changed the process, causing organizations to become increasingly concerned with their service providers’ privacy and security practices. Breach reporting time periods and breach indemnification costs can be the most hotly contested provisions in a contract negotiation. This article discusses the multitude of privacy and security reporting obligations under HIPAA and state law and identifies potential contracting strategies to reconcile them.

    Because of HIPAA’s history, there are not one but actually three reporting obligations between business associates and covered entities: (1) breaches of unsecured protected health information; (2) impermissible uses and disclosures that do not rise to the level of a “breach”; and (3) security incidents. It is important to understand the distinctions between each and where there is latitude in the contracting process.

    Breaches of Unsecured Protected Health Information

    The newest of the reporting requirements is with respect to “breaches of unsecured protected health information.” This is the most serious type of incident because a business associate must report a breach of unsecured protected health information up the chain (e.g., to the covered entity or higher level business associate in the contracting chain), and the covered entity ultimately must report the breach to affected individuals, the U.S. Department of Health and Human Services (“HHS”), and the media (if more than 500 individuals were affected in a single state or jurisdiction). Breaches often lead to substantial breach notification costs (which may include credit monitoring), government investigations (and the potential for financial penalties or settlement), reputational harm for all involved, and heightened risk of a class action.

    An impermissible use or disclosure of protected health information is presumed to be a “breach” unless: (1) the protected health information was secured through appropriate encryption or destruction; (2) one of three statutory exceptions apply; or (3) the covered entity or business associate conducts a breach risk assessment and determines that there is a “low probability of compromise” of the information. The three statutory exceptions are narrow, applying to certain unintentional acquisitions of protected health information by members of the workforce and other persons acting under the authority of the organization (e.g., an employee accidentally access the wrong record when doing his or her work), to certain inadvertent disclosures where the unintended recipient was also authorized to access the information (e.g., a record is sent to the wrong doctor, but the doctor was authorized to access the record anyway), or to certain disclosures where the organization has a good faith belief that the unintended recipient could not retain the information (e.g., a misdirected letter is returned, unopened, as undeliverable).

    The more important exception is where a breach risk assessment determines a low probability of compromise. The risk assessment must at a minimum consider four factors: (1) the nature and extent of the protected health information involved (e.g., is it readily identifiable and does it contain sensitive information); (2) the unintended recipient (e.g., is it a person or organization who has similar legal obligations to maintain the confidentiality of the information); (3) whether the information was actually accessed or viewed (e.g., was a device lost but then recovered, with forensic analysis concluding that the information was not accessed); and (4) the extent to which any mitigation is successful (e.g., the unintended recipient destroys the information without using or disclosing it). There remains confusion regarding what HHS considers a “compromise” and how it expects that the above four factors interplay. The regulatory preamble, though, suggests a high bar for applying these four factors and determining a low probability of compromise.

    If an impermissible use or disclosure of protected health information does not fall within an exception, then it is a “breach of unsecured protected health information” and the business associate must report it to the covered entity (or the higher business associate in the contracting chain) without unreasonable delay, and in no case later than 60 calendar days after discovery. HIPAA permits a reporting delay when requested by law enforcement. The notification must include certain content to the extent available, including: (1) the identify of individuals affected; (2) a brief description of what happened, including the dates of breach and discovery; (3) a description of the types of protected health information involved; (4) any steps that individuals should take in response (e.g., check credit reports); (5) a description of what the business associate is doing to investigate the breach, mitigate harm, and protect against further breaches; and (6) contact information for the business associate.

    Other Impermissible Uses and Disclosures

    Even before HIPAA required notification of breaches of unsecured protected health information, the HIPAA Privacy Rule has always required business associate agreements to require the business associate to report all impermissible uses and disclosures of protected health information. The HIPAA regulations do not include any timing or content requirements for impermissible uses and disclosures that do not rise to the level of a breach. Rather, the timing and content of reporting is entirely at the discretion of the parties.

    Security Incidents

    The third type of report is a security incident, which is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” The HIPAA Security Rule has always required business associate agreements to require the business associate to report any security incidents. The regulations do not specify timing and content requirements; rather these are entirely at the discretion of the parties.

    In some instances, a security incident qualifies as a breach of unsecured protected health information. In other instances, such as destruction of information, it would not qualify or give rise to a breach because there is no impermissible use or disclosure of protected health information.

    Contracting Options

    Once a business associate understands its three distinct reporting obligations under HIPAA, it should consider how it will operationalize them and develop a corresponding contracting strategy. One option is to treat all impermissible uses and disclosures and security incidents as “breaches of unsecured protected health information,” in which case no breach risk assessment is ever necessary but all incidents must be reported within a certain time (without unreasonable delay and in no case later than 60 days after discovery, or shorter if required by the contract) and with all of the elements of a formal breach notification. The second option is to informally report all impermissible uses and disclosures and security incidents, conduct a breach risk assessment, and provide more detailed notification for incidents that rise to the level of a “breach.”

    Each option has its advantages and drawbacks. Option 2 is advantageous for the business associate in that it allows more limited reporting for less serious incidents that do not rise to the level of a breach. Covered entities, however, may be unwilling to give this level of discretion to the business associate and instead insist on formal breach notification for all instances. Accordingly, Option 1 may be lead to easier contract negotiations.

    Whether the business associate will be able to push a particular option will depend largely on how much leverage it has during the contract negotiation. But business associates should be sensitive to what they can actually operationalize and avoid agreeing to unrealistic terms, even when they have limited leverage. For example, a covered entity may insist on a five-day reporting period, or even a 24-hour reporting period (or, worst case, a one hour reporting period). Here, a tiered reporting strategy is critical. It may be possible to provide an initial, informal notification within a very short reporting period. This initial notice will put the covered entity at ease that they will not first learn of an incident 60 days after the business associate’s discovery. But it is far more challenging to provide full breach notification, with the six elements described above, within such a short reporting period.

    The issue of “agency” may become a critical issue in negotiating reporting requirements. If the covered entity controls the manner in which the business associate’s work is performed (e.g., it can provide interim instructions above and beyond the contractual terms), then the covered entity will be deemed to know of a breach as soon as the business associate discovers the breach. In such cases where the business associate is considered an “agent” of the covered entity (rather than an independent contractor), the covered entity’s requirements to notify individuals, HHS, and the media begins as soon as the business associate discovers the incident. Accordingly, the greater the covered entity’s control over the manner in which the business associate works, the shorter the reporting time period the covered entity may insist upon.

    Additionally, business associates should consider how they will address the extremely broad definition of “security incident,” which encompasses mere attempts (regardless of whether successful). The state of the world is such that a business associate may experience thousands of failed attempts at unauthorized access or interruption of services each day, and it may be unrealistic to log and report each attempt. Accordingly, one contracting strategy is to provide proactive notification, in the business associate agreement itself, of the regular occurrence of unsuccessful attempts. This may offer the best solution for both parties, as neither party may be interesting in knowing about such attempts. But some covered entities may be unwilling to take this approach because the HIPAA Security Rule requires the contract to require the business associate to report any “security incidents” (which is defined to include such attempts), and does not include a carve out or formal guidance suggesting that proactive notice will suffice.

    Regardless of the reporting terms that the parties reach, the business associate should remain cognizant of state laws that may impose stricter requirements. These state laws are usually – but not always – limited to “computerized data” and “personal information” that creates a risk of identity theft. But the state law may require the business associate to report and breach of security “immediately” or may include a specific deadline.

    In sum, business associates are subject to a variety of reporting requirements, including breaches of unsecured protected health information, impermissible uses and disclosures that do not rise to the level of a breach, security incidents, and state law requirements. It is important for business associates to understand the various obligations and develop policies and procedures that comply with all of them. The business associate then should try to conform its contacts to its operations, agreeing to provisions that satisfy the covered entity but are operationally realistic for the business associate. Otherwise, it is easy for the business associate to find itself agreeing to whatever terms the covered entity seeks, but ending up in a quagmire with hundreds of varying customer breach notification obligations that may not be achievable in practice.

    Adam Greene is a partner in the Washington, D.C. office of Davis Wright Tremaine and co-chair of its Health Information Group. Adam primarily counsels health care providers, technology companies, and financial institutions on compliance with the HIPAA privacy, security, and breach notification rules. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current HIPAA enforcement process.

    Goodwill’s Third Party Due D...

    09-23-2014

    Like everyone else glued to the media outlets this past week regarding the Home Depot breach I was softly sobbing to myself “here we go again” particularly after I just made a visit and a purchase[...]

    Like everyone else glued to the media outlets this past week regarding the Home Depot breach I was softly sobbing to myself “here we go again” particularly after I just made a visit and a purchase with my credit card. However, this discussion isn’t about the Home Depot breach, but rather a less-than recent breach (with new information) that hasn’t drawn nearly as much attention as it should have.

    You may or may not recall much press on the Goodwill Industries breach back in July, as it was reported that numerous banks informed them of a possible breach of customer credit and debit card data. The security website Krebs On Security further noted that “Goodwill later confirmed that the breach impacted a portion of its stores, but blamed the incident on an unnamed third party vendor. This week, the third party vendor in question turned out to be C&K Systems, a huge player in the management and deployment of Cloud based retail point-of-sale environments for small to medium specialty retailers, based in Chesapeake, VA.

    Further research into the breach indicates Goodwill is turning a blind eye to the situation. As C&K Systems perform their suite of services in the Cloud, Goodwill’s vice president of marketing and development for Southwestern Pennsylvania reportedly remarked, “we don’t hold any of [our customer’s] credit card information in our computers…we’re feeling like this is a situation that’s not going to involve us, and we hope it stays that way.”

    Note the comment “…it’s not going to involve us, and we hope it stays that way”. Uh oh…

    Allow me to quote the great 20th century English scribe Robert Plant “…And it makes me wonder…” with regards to whether industry best practices were indeed followed in the third party/vendor selection process. Let’s remember that any company making such a claim needs to be aware that this truly has an impact on “us” (that is, the company) with regards to reputational risk. In this example, no one is going to remember this as the “C&K Systems” breach, rather they’ll remember the “Goodwill” breach.

    When it comes to third party risk (TPR) I’ve preached often that you simply cannot turn a blind eye to your third party service providers, pointing over to them and explaining to someone “it’s their fault”. Be aware that such inaction can do more harm to your organization then you could ever realize. And if you’re regulated to provide oversight on your third party providers; let’s not even discuss the puzzled look that will be seen on a regulator’s face upon hearing such a comment.

    Be sure to use TPR best practices in performing your due diligence. Don’t simply review a third party service provider (TPSP) SOC2 report or a PCI-DSS Report of Controls (ROC) and say “this looks ok – I trust them with our data,” for that is never enough. Regardless if you are a regulated entity or not, you should still perform a thorough analysis of their performance and handling of security, change control, network management and any other components as identified in the Shared Assessments SIG questionnaire. And perform this analysis periodically, to ensure you’re comfortable with the effectiveness of their policies and procedures. Establish clear guidelines regarding their handling and notification should a breach occur to your data. This should help you to accept any risks associated with using this vendor.

    Remember, when dealing with any TPSP, to always assess controls with the same level of care and due diligence you would if it were an internal department handling critical and confidential data. TPSP’s should be treated as if an extension of your organization and watchful eyes should always be kept.

    By adhering to these principles you will get a detailed understanding of your TPSP’s handling of your data. It’s one less thing to worry about as you continue to (again, to quote Robert Plant) “ramble on” and do what you do best: service the needs of your customers.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

    Sources:

      1) http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/#more-27835

      2) http://www.post-gazette.com/business/2014/07/23/Amid-Goodwill-s-probe-of-possible-data-theft-local-branch-said-no-evidence-of-breach/stories/201407230030

    Apple Pay – And Dynamic Paym...

    09-12-2014

    Although Apple’s payments announcement on Tuesday was not a surprise, the platform’s mechanics were largely unknown before Tim Cook’s on-stage introduction at the Flint Center in Cupertino. Cook[...]

    Although Apple’s payments announcement on Tuesday was not a surprise, the platform’s mechanics were largely unknown before Tim Cook’s on-stage introduction at the Flint Center in Cupertino. Cook set the context for Apple’s payments vision quite accurately:

      “Most people that have worked on this have started by focusing on creating a business model that was centered around their self-interest instead of focusing on the user experience. We love this kind of problem. This is exactly what Apple does best. And so, we’ve created an entirely new payment process and we call it Apple Pay.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))

    Security has been increasingly central to user concerns about all electronic payments processes, and this week’s confirmation of another large data breach at Home Depot has kept the focus on a threat that is arguably unsustainable if we are to avoid a crisis of confidence in consumer payments. So Apple’s introduction of a payments process that goes further than others in mitigating risks at both the physical and virtual points of sale is a very big deal indeed.

    Let’s have a quick look at how Apple Pay works. Transactions are authorized using the biometric finger print detection functionality that’s on the latest iPhones, and that’s only after a user has entered a PIN to log on to the device. So we start with biometrics, a strong plus. Cook explained:

      “…when you add a new credit card, we don’t store the credit card number, we don’t give it to the merchant.

      “We create a device-only account number [token] and we store it safely in the secure element and each time you pay, we use a one-time payment number [dynamic payment token] along with a dynamic security code so you no longer have the static code on the back of your plastic card and if your iPhone is lost or stolen, you can use Find my iPhone and suspend all of the payments from that device… Now, security is at the core of Apple Pay, but so is privacy.

      “We are not in the business of collecting your data. So, when you go to a physical location and use Apple Pay, Apple doesn’t know what you bought, where you bought it, or how much you paid for it. The transaction is between you, the merchant and your bank. It’s fast, it’s secure and it’s private.” ((http://www.nfcworld.com/2014/09/09/331431/transcript-apple-ceo-tim-cook-svp-eddy-cue-introduce-apple-pay-mobile-payments-nfc/))

    Apple Pay, then, uses dynamic payment tokens that change with each transaction, a real secure element (no host card emulation), a protocol where no Primary Account Numbers (PANS) are stored anywhere on the device, biometric-only payment authentication and initiation, and an easy to use transaction initiation process that works both at the physical point of sale and in cyberspace. The process uses existing rails and focuses on payments instruments (bank credit and debit cards) that consumers have historically seen as best way to pay. Clearly, there’s a lot here to like, including – for me in particular – the use of dynamic payment tokens, which materially contribute to making the process less risky.

    What are the real world issues that could hold back Apple Payments? Although many large issuers are backing the program, many large merchants are not. Walmart and Best Buy, for example, have said they do not plan to participate –at least initially – because of contractual obligations related to their participation in the Merchant Customer Exchange, a retailer owned payments group that is about to launch a QR code based competitive product called CurrentC. CurrentC will support debit functionality linked to a customer’s checking account (de-coupled debit), retailer branded credit and debit cards, and retailer branded gift cards – but not general purpose bank credit or debit cards. Other major merchants who are leading the Merchant Customer Exchange include CVS, Loews, Publix Supermarkets, Target, Sears, Shell, and Sunoco. None of these merchants are likely to be near term Apple Pay participants.

    Then, of course, there are other payments competitors, such as Amazon and PayPal, which have not announced whether they plan to play in Apple’s sandbox.

    No new product entry is a sure thing, Apple Pay included, but we think Apple Pay is currently about as good as it gets in terms of a customer-centric, easy to use, and secure payments process.

    For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

    How to Respond to the Regulati...

    09-08-2014

    As follow up to my previous blog on how the avalanche of regulation can stifle innovation in banks and credit unions, I wanted to share some ideas to start the discussion on organizational steps that [...]

    As follow up to my previous blog on how the avalanche of regulation can stifle innovation in banks and credit unions, I wanted to share some ideas to start the discussion on organizational steps that you can take to enhance the risk and compliance culture. Maturing the processes internally, requires education – and while that takes time and effort, it can pay off by streamlining decision making. By getting started now, you should avoid being buried in the avalanche.

    Assess Your Organization’s Risk Appetite

    Each organization has developed a culture and risk appetite that can be influenced by internal and external factors.

    Recent data breaches and cyber-attacks have shifted the attention to corporate governance. Enforcement actions, risk committees and regulatory audit pressures advance the need for financial institutions to assess internally their risk posture. Governance models should be risk-based – and right sized based on the market landscape.

    The regulatory burden however has accelerated a focus on stringent controls, without identifying the operational and business readiness steps needed to help financial institutions innovate and advance their marketing efforts. Investing in people, process, and education at all levels can improve the “Risk IQ” internally. That can result in more effective decision-making, and advancing speed to market for innovative products and services.

    Prepare for Digital Revolution in Marketing

    As recently published in the ABA Bank Marketing and Sales magazine, an Accenture survey showed that 78% of marketing executives believe corporate marketing will undergo a fundamental transformation over the next 5 years. Big Data, analytics, mobile, digital marketing, are advancing at an avalanche pace. Most banking organizations may not be equipped to prepare the roadmap that enabled the digital technology revolution and the risk management governance culture to meet compliance obligations.

    The survey also conveyed that most company’s may not have prepared the organizational readiness to operationalize the new technologies to deliver value to customers. Any new technology brings up the risk question – just like innovation brings up compliance.

    Enhancing Your Risk & Compliance Culture

    While the pendulum for shifting governance and oversight has forced a more conservative approach, that correction can be balanced by broadening the risk acumen and organizational agility with an intentional strategic plan. Accountability is a critical success factor in the new landscape of demonstrating how risk is addressed.

    Organizations need to move behind checklist compliance to truly managing risk. Taking steps to invest in readiness for executives to make informed business decisions, and manage risk without halting innovation is an important element in risk process maturity.

    Here are five simple things your organization can do to help minimize the stifling of creativity while meeting the burdens of regulatory compliance:

    1. Create a Risk & Compliance Education & Awareness Plan: Develop an internal communication plan for all levels of the organization, to expand acumen on changes in regulation and regulator expectations. Executives will need to have more familiarity with the governance processes, and how they are evolving. Identify your internal stakeholders who manage different areas of risk, and define what types of training or education they may need to help them in the governance process.
    2. Broaden Executive Management Reporting: With expanded risk & governance committees, assess internal scorecards and dashboards to ensure that the “hows” are being monitored and addressed. Governance is an ongoing process, not a once and done event. Consider starting quarterly educational scorecards for Audit Committees to broaden their industry awareness of changes in expectations and the organizational action in process to respond to market events. Look at the makeup of current decision makers and even Board Members, to identify what gaps in functional experience could make enabling technology and product innovation simpler to execute. Identifying the “Digital Director” can help streamline the navigation for technology innovation, and mobile opportunities.
    3. Broaden Tools to Enable Consistent Governance: Risk process maturity comes from repeatability and scoping. Understand the decision makers for changes in nature and structure of process, and embed compliance requirements up front in the design phase. Ensure feedback loops are in place from your customer complaint process to not just “react” to complaints, but to show ownership in the risk monitoring. Structure standardized templates that directly speak to “how” compliance has already been address in product release plans.
    4. Practice your Risk Posture Positioning: Proactive risk and compliance management requires taking a bit of the fear, uncertainty, and doubt off the table. Figure out how to tell the compliance story to your internal stakeholders, the board, and your regulator. Practice how you would defend the decisions made and how you met the compliance burden.
    5. Clarify Roles & Responsibilities: It can take a village to manage risk & compliance in financial services. Ensure that lines of sight and organizational accountabilities are clear, so that ownership for governance is understood. If products or services are outsourced, ensure that the third party risk management governance model and process is updated to account for non-IT risks.

    We need regulation in financial services, to avoid the repeat of the mistakes seen during the Financial Crisis. The structuring and marketing of financial products and services needs to continually evolve, but at a much faster pace due to the pace of technology innovation. The avalanche of regulation and the corresponding delays in product enhancement are an “ice-bucket” wake up call for financial services. As an industry, we need to understand how regulation can stifle innovation and take steps to address the fear, uncertainty and doubt within our organizations and identify ways to tip the scales and creating a more balanced governance model for compliance and innovation.

    Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Payment Tokens and Standards, ...

    09-04-2014

    The last couple of months have seen a more focused and public discussion between merchants and banks about how the standards that will underlie payment tokens should be crafted. An oversimplified summ[...]

    The last couple of months have seen a more focused and public discussion between merchants and banks about how the standards that will underlie payment tokens should be crafted. An oversimplified summary of positions would suggest that merchants want an ISO based standards development process which would allow for a more inclusive participation and more confidence in a truly open payment token ecosystem, and banks argue that because of the rapid growth of card not present (CNP) fraud and the expectation of geometric increases as EMV security measures reduce fraud opportunities at the physical point of sale there isn’t time for the notoriously slow process that hamstrings almost all ISO related work.

    What’s interesting to me is that this debate raises – once again – the question of why standards development can be so contentious and whether there is in fact an ideal time for standards development. These are not new questions, and in fact there is useful work that defines the “ideal” time for standards development as a function of the time relationship between technology interest on one hand and “political” interest, which is fueled by economic concerns of the type we’re seeing now in both the banking and merchant communities, on the other. This framework can place useful context around the current situation where payment token stakeholders are at odds about the mechanics of the standards process, and at a high level might suggest an approach to make it more palatable.

    In 1990 James Gosling, the Sun Microsystems engineer who developed JAVA, wrote what he described as a “moderately sarcastic” note about Phase Relationships in the Standardization Process (see Appendix). He begins with Toshi Doi’s diagram which describes the ideal window for standards development (“W” in the diagram below) as the time when technical interest is declining because it is well understood and when the “political” (economic) environment hasn’t become so contested that constructive negations between stakeholders is not possible.

    Untitled

    He goes on to suggest that both technology interest and political interest activities have consequences (or results) which can be seen as integrals of the activity curves (see figure, below, and the Appendix for a full discussion). In this figure, Gosling says “the integral of Ta is K (knowledge) and the integral of Pa is C (calcification – revealing a strong personal cynicism). Ss, the sensibility of standardization, is just K-C. The optimum time for standardizing a technology is when Ss is at a maximum, which will be in a region where knowledge is high, but calcification has not yet set in.”

    Untitled2.1
    After walking through a small series of progressively more gloomy scenarios, Gosling sums up the fundamental issue as he saw it in 1990:

      The sad truth about the computer industry these days is that it is this last case that is dominating a broad range of standards activities. Standards are regularly created and adopted before anyone has performed the experiments necessary to determine if they are sensible. Even worse, standards are getting accepted before they are even written, which is a truly ridiculous situation.

      How this arises is clear: standards are increasingly being viewed as competitive weapons rather than as technological stabilizers. Companies use standards as a way to inhibit their competition from developing advantageous technology. As soon as technical activity is observed by political/economic forces, their interest rises dramatically because they see a possible threat that must be countered before it gains strength.

      The result of this is a tremendous disservice to both users and consumers of technology. Users get poor quality technology, and because of the standards process, they’re stuck with it.

    This discussion is relevant to our current payment token circumstances.

    MasterCard, Visa, and other EMVCo owners are careful to say that EMVCo develops specifications, not standards. But of course the difference between specifications and standards may be ephemeral in an environment where companies (or groups of companies) develop them to put a damper on technology development by others, and to create market advantage for themselves.

    Let’s look at the current situation in terms of Toshi Doi and John Gosling’s notion of “political” interest. What is EMVCo’s motivation for creating a payment token specification at what one its senior staffers describes as “lightning speed?”

    If we take EMVCo and bank statements at face value I’d suggest the motivation may be fundamentally different from the competitive advantage quest Gosling sees in his admittingly “moderately sarcastic” perspective on standards development. What’s different here is that speed to market is motivated by a desire to head off geometric increases in card not present fraud as the ongoing chip process better secures the physical point of sale and the United States moves closer to the October 2015 liability shift date at the point of sale. Effective fraud mitigation will be good for all stakeholders, and like it or not the EMVCo process is the most likely vehicle to yield an actionable payment token product in time to put a dent in the CNP fraud shift resulting from the implementation of Chip at the point of sale.

    So what to do in the current environment where merchants, the card brands, and banks are so at odds? One approach to test true motivation could be to secure a commitment from EMVCo to implement the specification in flexible ways to encourage maximum stakeholder partition in the ecosystem, for example, to establish market mechanisms to make sure that a wide variety of players (including merchants) have the opportunity to operate token vaults, and to ensure that functionality that may not appear practical at launch, such as mass deployment of single use tokens, are not precluded in the future when the processing overhead is not so great as to make their use difficult at scale.

    Stakeholders have a more common economic interest in short term payment token development than the current discussion emotion seems to suggest. Those common interests should lead, in relatively short order, to more a productive tone in the industry’s token standards discussion.

    APPENDIX

    Phase Relationships in the Standardization Process
    James Gosling
    August, 1990

    This is a moderately sarcastic note on the phases that the standardization process goes through, and the relationship between the level of technical and political interest in a topic. It is purely a personal view.

    Diagram 1

    DiagramA

    Toshi Doi of Sony describes the standardization process in terms in Diagram A. The i axis describes level of interest and the t axis describes time. Ti describes technical interest, and Pi describes political interest. As time passes, technical activity declines as the technology becomes understood. Similarly, generally fueled by economic pressures, the political interest in a technology increases in some period.

    For a standard to be usefully formed, the technology needs to be understood: technological interest needs to be waning. But if political interest in a standard becomes too large, the various parties have too much at stake in their own vested
    interest to be flexible enough to accommodate the unified view that a standard requires.

    In this model, Ws is the `window of standardization’ where technical interest is waning (i.e. the technology has become understood), but the political situation hasn’t become too hotly contested for constructive negotiating.

    Diagram 2

    Apendix2

    This model has many interesting insights, but there is more complexity in the situation that can be explored. In the original model, the T and P curves are open ended. The situation is more like the diagram at left. These curves, Ta and Pa, represent technical activity and political activity. In general, technical activity precedes political activity. Both types of activity go through phases of different intensity. As these activities proceed, they produce results. The result curves are the integrals of the activity curves.

    Diagram 3

    chart3

    The integrals of these two curves are drawn at left. The integral of Ta is K (knowledge) and the integral of Pa is C (calcification – revealing a strong personal cynicism). Ss, the sensibility of standardization, is just K-C. The optimum time for standardizing a technology is when Ss is at a maximum, which will be in a region where knowledge is high, but calcification has not yet set in.

    A very interesting quantity to observe is the phase relationship between Ta and Pa. When the maximum point on Pa follows the maximum point on Ta by a sufficient distance, there is a wide Ss window. A sensible standard can be fairly easily set since the political activity which leads to the standard has the necessary technical knowledge in hand when needed. If Pa lags Ta sufficiently, Ss will have a long high flat top, which forms a convenient table on which to work.

    Diagram 4

    chart4

    Consider moving Pa left, closer to Ta. When it is close to Ta, Ss will have a shallow and flat region where the upward slope of Ta matches Pa approximately. This region is the time of chaos. Before calcification builds up, there isn’t enough knowledge to do anything sensible, by the time that there is enough knowledge, there’s too much calcification to allow a sensible compromise to be reached. In between, the region is flat enough that there isn’t a clearly defined optimum moment for developing a standard, so there is instead a drawn out period of chaotic bargaining and soul searching.

    Diagram 5

    chart4.5

    Consider moving Pa even farther left, until it is to the right of Ta. This is the worst case: Ss is always negative. The long flat minimum region is the time of panic where the political/economic process has decided that a technology needs to be standardized, but no one understands it. Standards get set by making random guesses that are not grounded in any technical reality, but are instead grounded totally on political expedience.

    Diagram 6
    chart5

    The case described in the previous diagram is impossible in practice. The very act of setting a standard inhibits technical activity, reducing the Ta curve and sharply flattening the K curve. Ss never rises to a positive level of sensibility.

    The sad truth about the computer industry these days is that it is this last case that is dominating a broad range of standards activities. Standards are regularly created and adopted before anyone has performed the experiments necessary to determine if they are sensible. Even worse, standards are getting accepted before they are even written, which is a truly ridiculous situation.

    How this arises is clear: standards are increasingly being viewed as competitive weapons rather than as technological stabilizers. Companies use standards as a way to inhibit their competition from developing advantageous technology. As soon as technical activity is observed by political/economic forces, their interest rises dramatically because they see a possible threat that must be countered before it gains strength.

    The result of this is a tremendous disservice to both users and consumers of technology. Users get poor quality technology, and because of the standards process, they’re stuck with it.

    For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.